diff --git a/CHANGELOG.md b/CHANGELOG.md
index 538f61027678..6b29b40b6bc3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ ENHANCEMENTS:
 * data-source/aws_iam_group: Add `users` attribute [GH-7132]
 * resource/aws_apigateway_stage: Add `arn` attribute [GH-10570]
 * resource/aws_apigateway_usage_plan: Add `tags` argument and `arn` attribute [GH-10566]
+* resource/aws_s3_bucket: Retry reading tags on `NoSuchBucket` errors due to eventual inconsistency [GH-10863]
 * resource/aws_waf_rule: Add `arn` attribute [GH-10798]
 * resource/aws_waf_rule_group: Add `arn` attribute [GH-10799]
 
diff --git a/aws/internal/keyvaluetags/generators/listtags/main.go b/aws/internal/keyvaluetags/generators/listtags/main.go
index 92c0a8ca6425..ea6a7fc65cbd 100644
--- a/aws/internal/keyvaluetags/generators/listtags/main.go
+++ b/aws/internal/keyvaluetags/generators/listtags/main.go
@@ -86,6 +86,7 @@ var serviceNames = []string{
 	"swf",
 	"transfer",
 	"waf",
+	"wafregional",
 	"workspaces",
 }
 
@@ -107,6 +108,7 @@ func main() {
 		"ListTagsInputIdentifierRequiresSlice": ServiceListTagsInputIdentifierRequiresSlice,
 		"ListTagsInputResourceTypeField":       ServiceListTagsInputResourceTypeField,
 		"ListTagsOutputTagsField":              ServiceListTagsOutputTagsField,
+		"TagPackage":                           keyvaluetags.ServiceTagPackage,
 		"Title":                                strings.Title,
 	}
 
@@ -161,7 +163,7 @@ import (
 // The identifier is typically the Amazon Resource Name (ARN), although
 // it may also be a different identifier depending on the service.
 func {{ . | Title }}ListTags(conn {{ . | ClientType }}, identifier string{{ if . | ListTagsInputResourceTypeField }}, resourceType string{{ end }}) (KeyValueTags, error) {
-	input := &{{ . }}.{{ . | ListTagsFunction }}Input{
+	input := &{{ . | TagPackage  }}.{{ . | ListTagsFunction }}Input{
 		{{- if . | ListTagsInputIdentifierRequiresSlice }}
 		{{ . | ListTagsInputIdentifierField }}:   aws.StringSlice([]string{identifier}),
 		{{- else }}
@@ -302,6 +304,8 @@ func ServiceListTagsInputIdentifierField(serviceName string) string {
 		return "ResourceId"
 	case "waf":
 		return "ResourceARN"
+	case "wafregional":
+		return "ResourceARN"
 	default:
 		return "ResourceArn"
 	}
@@ -330,8 +334,6 @@ func ServiceListTagsInputResourceTypeField(serviceName string) string {
 // ServiceListTagsOutputTagsField determines the service tag field.
 func ServiceListTagsOutputTagsField(serviceName string) string {
 	switch serviceName {
-	case "waf":
-		return "TagInfoForResource.TagList"
 	case "cloudhsmv2":
 		return "TagList"
 	case "databasemigrationservice":
@@ -352,6 +354,10 @@ func ServiceListTagsOutputTagsField(serviceName string) string {
 		return "TagList"
 	case "ssm":
 		return "TagList"
+	case "waf":
+		return "TagInfoForResource.TagList"
+	case "wafregional":
+		return "TagInfoForResource.TagList"
 	case "workspaces":
 		return "TagList"
 	default:
diff --git a/aws/internal/keyvaluetags/generators/servicetags/main.go b/aws/internal/keyvaluetags/generators/servicetags/main.go
index 9fae3fa30d91..a074e68aad88 100644
--- a/aws/internal/keyvaluetags/generators/servicetags/main.go
+++ b/aws/internal/keyvaluetags/generators/servicetags/main.go
@@ -10,6 +10,8 @@ import (
 	"sort"
 	"strings"
 	"text/template"
+
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags"
 )
 
 const filename = `service_tags_gen.go`
@@ -85,6 +87,7 @@ var sliceServiceNames = []string{
 	"swf",
 	"transfer",
 	"waf",
+	"wafregional",
 	"workspaces",
 }
 
@@ -134,6 +137,7 @@ func main() {
 		SliceServiceNames: sliceServiceNames,
 	}
 	templateFuncMap := template.FuncMap{
+		"TagPackage":        keyvaluetags.ServiceTagPackage,
 		"TagType":           ServiceTagType,
 		"TagTypeKeyField":   ServiceTagTypeKeyField,
 		"TagTypeValueField": ServiceTagTypeValueField,
@@ -182,8 +186,10 @@ package keyvaluetags
 import (
 	"github.com/aws/aws-sdk-go/aws"
 {{- range .SliceServiceNames }}
+{{- if eq . (. | TagPackage) }}
 	"github.com/aws/aws-sdk-go/service/{{ . }}"
 {{- end }}
+{{- end }}
 )
 
 // map[string]*string handling
@@ -204,11 +210,11 @@ func {{ . | Title }}KeyValueTags(tags map[string]*string) KeyValueTags {
 {{- range .SliceServiceNames }}
 
 // {{ . | Title }}Tags returns {{ . }} service tags.
-func (tags KeyValueTags) {{ . | Title }}Tags() []*{{ . }}.{{ . | TagType }} {
-	result := make([]*{{ . }}.{{ . | TagType }}, 0, len(tags))
+func (tags KeyValueTags) {{ . | Title }}Tags() []*{{ . | TagPackage }}.{{ . | TagType }} {
+	result := make([]*{{ . | TagPackage }}.{{ . | TagType }}, 0, len(tags))
 
 	for k, v := range tags.Map() {
-		tag := &{{ . }}.{{ . | TagType }}{
+		tag := &{{ . | TagPackage }}.{{ . | TagType }}{
 			{{ . | TagTypeKeyField }}:   aws.String(k),
 			{{ . | TagTypeValueField }}: aws.String(v),
 		}
@@ -220,7 +226,7 @@ func (tags KeyValueTags) {{ . | Title }}Tags() []*{{ . }}.{{ . | TagType }} {
 }
 
 // {{ . | Title }}KeyValueTags creates KeyValueTags from {{ . }} service tags.
-func {{ . | Title }}KeyValueTags(tags []*{{ . }}.{{ . | TagType }}) KeyValueTags {
+func {{ . | Title }}KeyValueTags(tags []*{{ . | TagPackage }}.{{ . | TagType }}) KeyValueTags {
 	m := make(map[string]*string, len(tags))
 
 	for _, tag := range tags {
diff --git a/aws/internal/keyvaluetags/generators/updatetags/main.go b/aws/internal/keyvaluetags/generators/updatetags/main.go
index 524f25499166..9e8cef5c391a 100644
--- a/aws/internal/keyvaluetags/generators/updatetags/main.go
+++ b/aws/internal/keyvaluetags/generators/updatetags/main.go
@@ -94,6 +94,7 @@ var serviceNames = []string{
 	"swf",
 	"transfer",
 	"waf",
+	"wafregional",
 	"workspaces",
 }
 
@@ -115,6 +116,7 @@ func main() {
 		"TagInputIdentifierRequiresSlice": ServiceTagInputIdentifierRequiresSlice,
 		"TagInputResourceTypeField":       ServiceTagInputResourceTypeField,
 		"TagInputTagsField":               ServiceTagInputTagsField,
+		"TagPackage":                      keyvaluetags.ServiceTagPackage,
 		"Title":                           strings.Title,
 		"UntagFunction":                   ServiceUntagFunction,
 		"UntagInputRequiresTagType":       ServiceUntagInputRequiresTagType,
@@ -178,7 +180,7 @@ func {{ . | Title }}UpdateTags(conn {{ . | ClientType }}, identifier string{{ if
 	newTags := New(newTagsMap)
 
 	if removedTags := oldTags.Removed(newTags); len(removedTags) > 0 {
-		input := &{{ . }}.{{ . | UntagFunction }}Input{
+		input := &{{ . | TagPackage }}.{{ . | UntagFunction }}Input{
 			{{- if . | TagInputIdentifierRequiresSlice }}
 			{{ . | TagInputIdentifierField }}:   aws.StringSlice([]string{identifier}),
 			{{- else }}
@@ -202,7 +204,7 @@ func {{ . | Title }}UpdateTags(conn {{ . | ClientType }}, identifier string{{ if
 	}
 
 	if updatedTags := oldTags.Updated(newTags); len(updatedTags) > 0 {
-		input := &{{ . }}.{{ . | TagFunction }}Input{
+		input := &{{ . | TagPackage }}.{{ . | TagFunction }}Input{
 			{{- if . | TagInputIdentifierRequiresSlice }}
 			{{ . | TagInputIdentifierField }}:   aws.StringSlice([]string{identifier}),
 			{{- else }}
@@ -365,6 +367,8 @@ func ServiceTagInputIdentifierField(serviceName string) string {
 		return "Arn"
 	case "waf":
 		return "ResourceARN"
+	case "wafregional":
+		return "ResourceARN"
 	case "workspaces":
 		return "ResourceId"
 	default:
diff --git a/aws/internal/keyvaluetags/list_tags_gen.go b/aws/internal/keyvaluetags/list_tags_gen.go
index 5765d2b3268f..71899c8a4f7a 100644
--- a/aws/internal/keyvaluetags/list_tags_gen.go
+++ b/aws/internal/keyvaluetags/list_tags_gen.go
@@ -73,6 +73,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/swf"
 	"github.com/aws/aws-sdk-go/service/transfer"
 	"github.com/aws/aws-sdk-go/service/waf"
+	"github.com/aws/aws-sdk-go/service/wafregional"
 	"github.com/aws/aws-sdk-go/service/workspaces"
 )
 
@@ -1250,6 +1251,23 @@ func WafListTags(conn *waf.WAF, identifier string) (KeyValueTags, error) {
 	return WafKeyValueTags(output.TagInfoForResource.TagList), nil
 }
 
+// WafregionalListTags lists wafregional service tags.
+// The identifier is typically the Amazon Resource Name (ARN), although
+// it may also be a different identifier depending on the service.
+func WafregionalListTags(conn *wafregional.WAFRegional, identifier string) (KeyValueTags, error) {
+	input := &waf.ListTagsForResourceInput{
+		ResourceARN: aws.String(identifier),
+	}
+
+	output, err := conn.ListTagsForResource(input)
+
+	if err != nil {
+		return New(nil), err
+	}
+
+	return WafregionalKeyValueTags(output.TagInfoForResource.TagList), nil
+}
+
 // WorkspacesListTags lists workspaces service tags.
 // The identifier is typically the Amazon Resource Name (ARN), although
 // it may also be a different identifier depending on the service.
diff --git a/aws/internal/keyvaluetags/service_generation_customizations.go b/aws/internal/keyvaluetags/service_generation_customizations.go
index 0b3c2eca82e3..c2851e2a12e8 100644
--- a/aws/internal/keyvaluetags/service_generation_customizations.go
+++ b/aws/internal/keyvaluetags/service_generation_customizations.go
@@ -88,6 +88,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/swf"
 	"github.com/aws/aws-sdk-go/service/transfer"
 	"github.com/aws/aws-sdk-go/service/waf"
+	"github.com/aws/aws-sdk-go/service/wafregional"
 	"github.com/aws/aws-sdk-go/service/workspaces"
 )
 
@@ -262,6 +263,8 @@ func ServiceClientType(serviceName string) string {
 		funcType = reflect.TypeOf(transfer.New)
 	case "waf":
 		funcType = reflect.TypeOf(waf.New)
+	case "wafregional":
+		funcType = reflect.TypeOf(wafregional.New)
 	case "workspaces":
 		funcType = reflect.TypeOf(workspaces.New)
 	default:
@@ -270,3 +273,12 @@ func ServiceClientType(serviceName string) string {
 
 	return funcType.Out(0).String()
 }
+
+func ServiceTagPackage(serviceName string) string {
+	switch serviceName {
+	case "wafregional":
+		return "waf"
+	default:
+		return serviceName
+	}
+}
diff --git a/aws/internal/keyvaluetags/service_tags_gen.go b/aws/internal/keyvaluetags/service_tags_gen.go
index 21e53e9b49fd..2a31af4a6430 100644
--- a/aws/internal/keyvaluetags/service_tags_gen.go
+++ b/aws/internal/keyvaluetags/service_tags_gen.go
@@ -2195,6 +2195,33 @@ func WafKeyValueTags(tags []*waf.Tag) KeyValueTags {
 	return New(m)
 }
 
+// WafregionalTags returns wafregional service tags.
+func (tags KeyValueTags) WafregionalTags() []*waf.Tag {
+	result := make([]*waf.Tag, 0, len(tags))
+
+	for k, v := range tags.Map() {
+		tag := &waf.Tag{
+			Key:   aws.String(k),
+			Value: aws.String(v),
+		}
+
+		result = append(result, tag)
+	}
+
+	return result
+}
+
+// WafregionalKeyValueTags creates KeyValueTags from wafregional service tags.
+func WafregionalKeyValueTags(tags []*waf.Tag) KeyValueTags {
+	m := make(map[string]*string, len(tags))
+
+	for _, tag := range tags {
+		m[aws.StringValue(tag.Key)] = tag.Value
+	}
+
+	return New(m)
+}
+
 // WorkspacesTags returns workspaces service tags.
 func (tags KeyValueTags) WorkspacesTags() []*workspaces.Tag {
 	result := make([]*workspaces.Tag, 0, len(tags))
diff --git a/aws/internal/keyvaluetags/update_tags_gen.go b/aws/internal/keyvaluetags/update_tags_gen.go
index 6b10dccda20d..676e748edde6 100644
--- a/aws/internal/keyvaluetags/update_tags_gen.go
+++ b/aws/internal/keyvaluetags/update_tags_gen.go
@@ -83,6 +83,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/swf"
 	"github.com/aws/aws-sdk-go/service/transfer"
 	"github.com/aws/aws-sdk-go/service/waf"
+	"github.com/aws/aws-sdk-go/service/wafregional"
 	"github.com/aws/aws-sdk-go/service/workspaces"
 )
 
@@ -2860,6 +2861,42 @@ func WafUpdateTags(conn *waf.WAF, identifier string, oldTagsMap interface{}, new
 	return nil
 }
 
+// WafregionalUpdateTags updates wafregional service tags.
+// The identifier is typically the Amazon Resource Name (ARN), although
+// it may also be a different identifier depending on the service.
+func WafregionalUpdateTags(conn *wafregional.WAFRegional, identifier string, oldTagsMap interface{}, newTagsMap interface{}) error {
+	oldTags := New(oldTagsMap)
+	newTags := New(newTagsMap)
+
+	if removedTags := oldTags.Removed(newTags); len(removedTags) > 0 {
+		input := &waf.UntagResourceInput{
+			ResourceARN: aws.String(identifier),
+			TagKeys:     aws.StringSlice(removedTags.Keys()),
+		}
+
+		_, err := conn.UntagResource(input)
+
+		if err != nil {
+			return fmt.Errorf("error untagging resource (%s): %w", identifier, err)
+		}
+	}
+
+	if updatedTags := oldTags.Updated(newTags); len(updatedTags) > 0 {
+		input := &waf.TagResourceInput{
+			ResourceARN: aws.String(identifier),
+			Tags:        updatedTags.IgnoreAws().WafregionalTags(),
+		}
+
+		_, err := conn.TagResource(input)
+
+		if err != nil {
+			return fmt.Errorf("error tagging resource (%s): %w", identifier, err)
+		}
+	}
+
+	return nil
+}
+
 // WorkspacesUpdateTags updates workspaces service tags.
 // The identifier is typically the Amazon Resource Name (ARN), although
 // it may also be a different identifier depending on the service.
diff --git a/aws/resource_aws_lambda_function_test.go b/aws/resource_aws_lambda_function_test.go
index 608e3b306edf..189b8543afbf 100644
--- a/aws/resource_aws_lambda_function_test.go
+++ b/aws/resource_aws_lambda_function_test.go
@@ -616,6 +616,39 @@ func TestAccAWSLambdaFunction_tracingConfig(t *testing.T) {
 	})
 }
 
+// This test is to verify the existing behavior in the Lambda API where the KMS Key ARN
+// is not returned if environment variables are not in use. If the API begins saving this
+// value and the kms_key_arn check begins failing, the documentation should be updated.
+// Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/6366
+func TestAccAWSLambdaFunction_KmsKeyArn_NoEnvironmentVariables(t *testing.T) {
+	var function1 lambda.GetFunctionOutput
+
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_lambda_function.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckLambdaFunctionDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSLambdaConfigKmsKeyArnNoEnvironmentVariables(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsLambdaFunctionExists(resourceName, rName, &function1),
+					resource.TestCheckResourceAttr(resourceName, "kms_key_arn", ""),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"filename", "publish"},
+			},
+		},
+	})
+}
+
 func TestAccAWSLambdaFunction_Layers(t *testing.T) {
 	var conf lambda.GetFunctionOutput
 
@@ -2192,6 +2225,42 @@ resource "aws_lambda_function" "test" {
 `, funcName)
 }
 
+func testAccAWSLambdaConfigKmsKeyArnNoEnvironmentVariables(rName string) string {
+	return fmt.Sprintf(baseAccAWSLambdaConfig(rName, rName, rName)+`
+resource "aws_kms_key" "test" {
+  description             = %[1]q
+  deletion_window_in_days = 7
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "kms-tf-1",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "kms:*",
+      "Resource": "*"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_lambda_function" "test" {
+  filename      = "test-fixtures/lambdatest.zip"
+  function_name = %[1]q
+  handler       = "exports.example"
+  kms_key_arn   = "${aws_kms_key.test.arn}"
+  role          = "${aws_iam_role.iam_for_lambda.arn}"
+  runtime       = "nodejs8.10"
+}
+`, rName)
+}
+
 func testAccAWSLambdaConfigWithLayers(funcName, layerName, policyName, roleName, sgName string) string {
 	return fmt.Sprintf(baseAccAWSLambdaConfig(policyName, roleName, sgName)+`
 resource "aws_lambda_layer_version" "test" {
diff --git a/aws/s3_tags.go b/aws/s3_tags.go
index 3f99c16982d7..5e8376e84e1b 100644
--- a/aws/s3_tags.go
+++ b/aws/s3_tags.go
@@ -14,17 +14,32 @@ import (
 // s3.GetBucketTagging, except returns an empty slice instead of an error when
 // there are no tags.
 func getTagSetS3Bucket(conn *s3.S3, bucket string) ([]*s3.Tag, error) {
-	resp, err := conn.GetBucketTagging(&s3.GetBucketTaggingInput{
+	input := &s3.GetBucketTaggingInput{
 		Bucket: aws.String(bucket),
+	}
+
+	// Retry due to S3 eventual consistency
+	outputRaw, err := retryOnAwsCode(s3.ErrCodeNoSuchBucket, func() (interface{}, error) {
+		return conn.GetBucketTagging(input)
 	})
+
+	// S3 API Reference (https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketTagging.html)
+	// lists the special error as NoSuchTagSetError, however the existing logic used NoSuchTagSet
+	// and the AWS Go SDK has neither as a constant.
+	if isAWSErr(err, "NoSuchTagSet", "") {
+		return nil, nil
+	}
+
 	if err != nil {
-		if isAWSErr(err, "NoSuchTagSet", "") {
-			return nil, nil
-		}
 		return nil, err
 	}
 
-	return resp.TagSet, nil
+	var tagSet []*s3.Tag
+	if output, ok := outputRaw.(*s3.GetBucketTaggingOutput); ok {
+		tagSet = output.TagSet
+	}
+
+	return tagSet, nil
 }
 
 // setTags is a helper to set the tags for a resource. It expects the
diff --git a/go.mod b/go.mod
index 4e1f8fe54d70..9c5bb672c113 100644
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,7 @@ go 1.13
 
 require (
 	github.com/apparentlymart/go-dump v0.0.0-20190214190832-042adf3cf4a0 // indirect
-	github.com/aws/aws-sdk-go v1.25.31
+	github.com/aws/aws-sdk-go v1.25.34
 	github.com/beevik/etree v1.1.0
 	github.com/bflad/tfproviderlint v0.5.0
 	github.com/client9/misspell v0.3.4
diff --git a/go.sum b/go.sum
index fda17d3770bc..32d618282600 100644
--- a/go.sum
+++ b/go.sum
@@ -36,8 +36,8 @@ github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgI
 github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3ATZkfNZeM=
 github.com/aws/aws-sdk-go v1.19.39/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.25.3/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.25.31 h1:14mdh3HsTgRekePPkYcCbAaEXJknc3mN7f4XfsiMMDA=
-github.com/aws/aws-sdk-go v1.25.31/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
+github.com/aws/aws-sdk-go v1.25.34 h1:roL040qe1npx1ToFeXYHOGp/nOpLbcIQHKZ5UeDIyIM=
+github.com/aws/aws-sdk-go v1.25.34/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
 github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/awsutil/path_value.go b/vendor/github.com/aws/aws-sdk-go/aws/awsutil/path_value.go
index 285e54d67993..a4eb6a7f43aa 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/awsutil/path_value.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/awsutil/path_value.go
@@ -70,7 +70,7 @@ func rValuesAtPath(v interface{}, path string, createPath, caseSensitive, nilTer
 			value = value.FieldByNameFunc(func(name string) bool {
 				if c == name {
 					return true
-				} else if !caseSensitive && strings.ToLower(name) == strings.ToLower(c) {
+				} else if !caseSensitive && strings.EqualFold(name, c) {
 					return true
 				}
 				return false
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
index f63449788af0..0339b95add2b 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
@@ -1104,6 +1104,22 @@ var awsPartition = partition{
 				"us-west-2":      endpoint{},
 			},
 		},
+		"dataexchange": service{
+
+			Endpoints: endpoints{
+				"ap-northeast-1": endpoint{},
+				"ap-northeast-2": endpoint{},
+				"ap-southeast-1": endpoint{},
+				"ap-southeast-2": endpoint{},
+				"eu-central-1":   endpoint{},
+				"eu-west-1":      endpoint{},
+				"eu-west-2":      endpoint{},
+				"us-east-1":      endpoint{},
+				"us-east-2":      endpoint{},
+				"us-west-1":      endpoint{},
+				"us-west-2":      endpoint{},
+			},
+		},
 		"datapipeline": service{
 
 			Endpoints: endpoints{
@@ -1166,6 +1182,8 @@ var awsPartition = partition{
 				"ap-southeast-2": endpoint{},
 				"eu-central-1":   endpoint{},
 				"eu-west-1":      endpoint{},
+				"eu-west-2":      endpoint{},
+				"eu-west-3":      endpoint{},
 				"sa-east-1":      endpoint{},
 				"us-east-1":      endpoint{},
 				"us-east-2":      endpoint{},
@@ -3508,11 +3526,26 @@ var awsPartition = partition{
 		"shield": service{
 			IsRegionalized: boxedFalse,
 			Defaults: endpoint{
-				SSLCommonName: "shield.us-east-1.amazonaws.com",
+				SSLCommonName: "shield.ca-central-1.amazonaws.com",
 				Protocols:     []string{"https"},
 			},
 			Endpoints: endpoints{
-				"us-east-1": endpoint{},
+				"ap-northeast-1": endpoint{},
+				"ap-northeast-2": endpoint{},
+				"ap-south-1":     endpoint{},
+				"ap-southeast-1": endpoint{},
+				"ap-southeast-2": endpoint{},
+				"ca-central-1":   endpoint{},
+				"eu-central-1":   endpoint{},
+				"eu-north-1":     endpoint{},
+				"eu-west-1":      endpoint{},
+				"eu-west-2":      endpoint{},
+				"eu-west-3":      endpoint{},
+				"sa-east-1":      endpoint{},
+				"us-east-1":      endpoint{},
+				"us-east-2":      endpoint{},
+				"us-west-1":      endpoint{},
+				"us-west-2":      endpoint{},
 			},
 		},
 		"sms": service{
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/version.go b/vendor/github.com/aws/aws-sdk-go/aws/version.go
index 199dbfee58c4..9e5d1a9c3855 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/version.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/version.go
@@ -5,4 +5,4 @@ package aws
 const SDKName = "aws-sdk-go"
 
 // SDKVersion is the version of this SDK
-const SDKVersion = "1.25.31"
+const SDKVersion = "1.25.34"
diff --git a/vendor/github.com/aws/aws-sdk-go/service/cloudformation/api.go b/vendor/github.com/aws/aws-sdk-go/service/cloudformation/api.go
index e0ac414e9d49..c79f716f12d8 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/cloudformation/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/cloudformation/api.go
@@ -245,10 +245,11 @@ func (c *CloudFormation) CreateChangeSetRequest(input *CreateChangeSetInput) (re
 //
 // To create a change set for a stack that doesn't exist, for the ChangeSetType
 // parameter, specify CREATE. To create a change set for an existing stack,
-// specify UPDATE for the ChangeSetType parameter. After the CreateChangeSet
-// call successfully completes, AWS CloudFormation starts creating the change
-// set. To check the status of the change set or to review it, use the DescribeChangeSet
-// action.
+// specify UPDATE for the ChangeSetType parameter. To create a change set for
+// an import operation, specify IMPORT for the ChangeSetType parameter. After
+// the CreateChangeSet call successfully completes, AWS CloudFormation starts
+// creating the change set. To check the status of the change set or to review
+// it, use the DescribeChangeSet action.
 //
 // When you are satisfied with the changes the change set will make, execute
 // the change set by using the ExecuteChangeSet action. AWS CloudFormation doesn't
@@ -4142,10 +4143,10 @@ func (c *CloudFormation) UpdateTerminationProtectionRequest(input *UpdateTermina
 // Updates termination protection for the specified stack. If a user attempts
 // to delete a stack with termination protection enabled, the operation fails
 // and the stack remains unchanged. For more information, see Protecting a Stack
-// From Being Deleted (AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html)
+// From Being Deleted (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html)
 // in the AWS CloudFormation User Guide.
 //
-// For nested stacks (AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html),
+// For nested stacks (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html),
 // termination protection is set on the root stack and cannot be changed directly
 // on the nested stack.
 //
@@ -4321,13 +4322,25 @@ func (s *AccountGateResult) SetStatusReason(v string) *AccountGateResult {
 	return s
 }
 
-// The AccountLimit data type. For more information about account limits, see
-// AWS CloudFormation Limits (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html)
+// The AccountLimit data type.
+//
+// CloudFormation has the following limits per account:
+//
+//    * Number of concurrent resources
+//
+//    * Number of stacks
+//
+//    * Number of stack outputs
+//
+// For more information about these account limits, and other CloudFormation
+// limits, see AWS CloudFormation Limits (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html)
 // in the AWS CloudFormation User Guide.
 type AccountLimit struct {
 	_ struct{} `type:"structure"`
 
 	// The name of the account limit.
+	//
+	// Values: ConcurrentResourcesLimit | StackLimit | StackOutputsLimit
 	Name *string `type:"string"`
 
 	// The value that is associated with the account limit name.
@@ -4709,7 +4722,7 @@ func (s ContinueUpdateRollbackOutput) GoString() string {
 type CreateChangeSetInput struct {
 	_ struct{} `type:"structure"`
 
-	// In some cases, you must explicity acknowledge that your stack template contains
+	// In some cases, you must explicitly acknowledge that your stack template contains
 	// certain capabilities in order for AWS CloudFormation to create the stack.
 	//
 	//    * CAPABILITY_IAM and CAPABILITY_NAMED_IAM Some stack templates might include
@@ -4765,6 +4778,7 @@ type CreateChangeSetInput struct {
 
 	// The type of change set operation. To create a change set for a new stack,
 	// specify CREATE. To create a change set for an existing stack, specify UPDATE.
+	// To create a change set for an import operation, specify IMPORT.
 	//
 	// If you create a change set for a new stack, AWS Cloudformation creates a
 	// stack with a unique stack ID, but no template or resources. The stack will
@@ -4807,6 +4821,9 @@ type CreateChangeSetInput struct {
 	// in the AWS CloudFormation User Guide.
 	ResourceTypes []*string `type:"list"`
 
+	// The resources to import into your stack.
+	ResourcesToImport []*ResourceToImport `type:"list"`
+
 	// The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM)
 	// role that AWS CloudFormation assumes when executing the change set. AWS CloudFormation
 	// uses the role's credentials to make calls on your behalf. AWS CloudFormation
@@ -4897,6 +4914,16 @@ func (s *CreateChangeSetInput) Validate() error {
 	if s.TemplateURL != nil && len(*s.TemplateURL) < 1 {
 		invalidParams.Add(request.NewErrParamMinLen("TemplateURL", 1))
 	}
+	if s.ResourcesToImport != nil {
+		for i, v := range s.ResourcesToImport {
+			if v == nil {
+				continue
+			}
+			if err := v.Validate(); err != nil {
+				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "ResourcesToImport", i), err.(request.ErrInvalidParams))
+			}
+		}
+	}
 	if s.RollbackConfiguration != nil {
 		if err := s.RollbackConfiguration.Validate(); err != nil {
 			invalidParams.AddNested("RollbackConfiguration", err.(request.ErrInvalidParams))
@@ -4967,6 +4994,12 @@ func (s *CreateChangeSetInput) SetResourceTypes(v []*string) *CreateChangeSetInp
 	return s
 }
 
+// SetResourcesToImport sets the ResourcesToImport field's value.
+func (s *CreateChangeSetInput) SetResourcesToImport(v []*ResourceToImport) *CreateChangeSetInput {
+	s.ResourcesToImport = v
+	return s
+}
+
 // SetRoleARN sets the RoleARN field's value.
 func (s *CreateChangeSetInput) SetRoleARN(v string) *CreateChangeSetInput {
 	s.RoleARN = &v
@@ -5046,7 +5079,7 @@ func (s *CreateChangeSetOutput) SetStackId(v string) *CreateChangeSetOutput {
 type CreateStackInput struct {
 	_ struct{} `type:"structure"`
 
-	// In some cases, you must explicity acknowledge that your stack template contains
+	// In some cases, you must explicitly acknowledge that your stack template contains
 	// certain capabilities in order for AWS CloudFormation to create the stack.
 	//
 	//    * CAPABILITY_IAM and CAPABILITY_NAMED_IAM Some stack templates might include
@@ -5590,7 +5623,7 @@ type CreateStackSetInput struct {
 	// in the AWS CloudFormation User Guide.
 	AdministrationRoleARN *string `min:"20" type:"string"`
 
-	// In some cases, you must explicity acknowledge that your stack set template
+	// In some cases, you must explicitly acknowledge that your stack set template
 	// contains certain capabilities in order for AWS CloudFormation to create the
 	// stack set and related stack instances.
 	//
@@ -8093,6 +8126,12 @@ type GetTemplateSummaryOutput struct {
 	// parameter.
 	Parameters []*ParameterDeclaration `type:"list"`
 
+	// A list of resource identifier summaries that describe the target resources
+	// of an import operation and the properties you can provide during the import
+	// to identify the target resources. For example, BucketName is a possible identifier
+	// property for an AWS::S3::Bucket resource.
+	ResourceIdentifierSummaries []*ResourceIdentifierSummary `type:"list"`
+
 	// A list of all the template resource types that are defined in the template,
 	// such as AWS::EC2::Instance, AWS::Dynamo::Table, and Custom::MyCustomInstance.
 	ResourceTypes []*string `type:"list"`
@@ -8148,6 +8187,12 @@ func (s *GetTemplateSummaryOutput) SetParameters(v []*ParameterDeclaration) *Get
 	return s
 }
 
+// SetResourceIdentifierSummaries sets the ResourceIdentifierSummaries field's value.
+func (s *GetTemplateSummaryOutput) SetResourceIdentifierSummaries(v []*ResourceIdentifierSummary) *GetTemplateSummaryOutput {
+	s.ResourceIdentifierSummaries = v
+	return s
+}
+
 // SetResourceTypes sets the ResourceTypes field's value.
 func (s *GetTemplateSummaryOutput) SetResourceTypes(v []*string) *GetTemplateSummaryOutput {
 	s.ResourceTypes = v
@@ -9542,6 +9587,53 @@ func (s *ResourceChangeDetail) SetTarget(v *ResourceTargetDefinition) *ResourceC
 	return s
 }
 
+// Describes the target resources of a specific type in your import template
+// (for example, all AWS::S3::Bucket resources) and the properties you can provide
+// during the import to identify resources of that type.
+type ResourceIdentifierSummary struct {
+	_ struct{} `type:"structure"`
+
+	// The logical IDs of the target resources of the specified ResourceType, as
+	// defined in the import template.
+	LogicalResourceIds []*string `min:"1" type:"list"`
+
+	// The resource properties you can provide during the import to identify your
+	// target resources. For example, BucketName is a possible identifier property
+	// for AWS::S3::Bucket resources.
+	ResourceIdentifiers []*string `type:"list"`
+
+	// The template resource type of the target resources, such as AWS::S3::Bucket.
+	ResourceType *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s ResourceIdentifierSummary) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ResourceIdentifierSummary) GoString() string {
+	return s.String()
+}
+
+// SetLogicalResourceIds sets the LogicalResourceIds field's value.
+func (s *ResourceIdentifierSummary) SetLogicalResourceIds(v []*string) *ResourceIdentifierSummary {
+	s.LogicalResourceIds = v
+	return s
+}
+
+// SetResourceIdentifiers sets the ResourceIdentifiers field's value.
+func (s *ResourceIdentifierSummary) SetResourceIdentifiers(v []*string) *ResourceIdentifierSummary {
+	s.ResourceIdentifiers = v
+	return s
+}
+
+// SetResourceType sets the ResourceType field's value.
+func (s *ResourceIdentifierSummary) SetResourceType(v string) *ResourceIdentifierSummary {
+	s.ResourceType = &v
+	return s
+}
+
 // The field that AWS CloudFormation will change, such as the name of a resource's
 // property, and whether the resource will be recreated.
 type ResourceTargetDefinition struct {
@@ -9591,6 +9683,81 @@ func (s *ResourceTargetDefinition) SetRequiresRecreation(v string) *ResourceTarg
 	return s
 }
 
+// Describes the target resource of an import operation.
+type ResourceToImport struct {
+	_ struct{} `type:"structure"`
+
+	// The logical ID of the target resource as specified in the template.
+	//
+	// LogicalResourceId is a required field
+	LogicalResourceId *string `type:"string" required:"true"`
+
+	// A key-value pair that identifies the target resource. The key is an identifier
+	// property (for example, BucketName for AWS::S3::Bucket resources) and the
+	// value is the actual property value (for example, MyS3Bucket).
+	//
+	// ResourceIdentifier is a required field
+	ResourceIdentifier map[string]*string `min:"1" type:"map" required:"true"`
+
+	// The type of resource to import into your stack, such as AWS::S3::Bucket.
+	//
+	// ResourceType is a required field
+	ResourceType *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s ResourceToImport) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ResourceToImport) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ResourceToImport) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ResourceToImport"}
+	if s.LogicalResourceId == nil {
+		invalidParams.Add(request.NewErrParamRequired("LogicalResourceId"))
+	}
+	if s.ResourceIdentifier == nil {
+		invalidParams.Add(request.NewErrParamRequired("ResourceIdentifier"))
+	}
+	if s.ResourceIdentifier != nil && len(s.ResourceIdentifier) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("ResourceIdentifier", 1))
+	}
+	if s.ResourceType == nil {
+		invalidParams.Add(request.NewErrParamRequired("ResourceType"))
+	}
+	if s.ResourceType != nil && len(*s.ResourceType) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("ResourceType", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetLogicalResourceId sets the LogicalResourceId field's value.
+func (s *ResourceToImport) SetLogicalResourceId(v string) *ResourceToImport {
+	s.LogicalResourceId = &v
+	return s
+}
+
+// SetResourceIdentifier sets the ResourceIdentifier field's value.
+func (s *ResourceToImport) SetResourceIdentifier(v map[string]*string) *ResourceToImport {
+	s.ResourceIdentifier = v
+	return s
+}
+
+// SetResourceType sets the ResourceType field's value.
+func (s *ResourceToImport) SetResourceType(v string) *ResourceToImport {
+	s.ResourceType = &v
+	return s
+}
+
 // Structure containing the rollback triggers for AWS CloudFormation to monitor
 // during stack creation and updating operations, and for the specified monitoring
 // period afterwards.
@@ -10014,7 +10181,7 @@ type Stack struct {
 	RollbackConfiguration *RollbackConfiguration `type:"structure"`
 
 	// For nested stacks--stacks created as resources for another stack--the stack
-	// ID of the the top-level stack to which the nested stack ultimately belongs.
+	// ID of the top-level stack to which the nested stack ultimately belongs.
 	//
 	// For more information, see Working with Nested Stacks (http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html)
 	// in the AWS CloudFormation User Guide.
@@ -11850,7 +12017,7 @@ type StackSummary struct {
 	ParentId *string `type:"string"`
 
 	// For nested stacks--stacks created as resources for another stack--the stack
-	// ID of the the top-level stack to which the nested stack ultimately belongs.
+	// ID of the top-level stack to which the nested stack ultimately belongs.
 	//
 	// For more information, see Working with Nested Stacks (http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html)
 	// in the AWS CloudFormation User Guide.
@@ -12141,7 +12308,7 @@ func (s *TemplateParameter) SetParameterKey(v string) *TemplateParameter {
 type UpdateStackInput struct {
 	_ struct{} `type:"structure"`
 
-	// In some cases, you must explicity acknowledge that your stack template contains
+	// In some cases, you must explicitly acknowledge that your stack template contains
 	// certain capabilities in order for AWS CloudFormation to update the stack.
 	//
 	//    * CAPABILITY_IAM and CAPABILITY_NAMED_IAM Some stack templates might include
@@ -12702,7 +12869,7 @@ type UpdateStackSetInput struct {
 	// same customized administrator role used with this stack set previously.
 	AdministrationRoleARN *string `min:"20" type:"string"`
 
-	// In some cases, you must explicity acknowledge that your stack template contains
+	// In some cases, you must explicitly acknowledge that your stack template contains
 	// certain capabilities in order for AWS CloudFormation to update the stack
 	// set and its associated stack instances.
 	//
@@ -13255,6 +13422,9 @@ const (
 
 	// ChangeActionRemove is a ChangeAction enum value
 	ChangeActionRemove = "Remove"
+
+	// ChangeActionImport is a ChangeAction enum value
+	ChangeActionImport = "Import"
 )
 
 const (
@@ -13280,6 +13450,9 @@ const (
 
 	// ChangeSetTypeUpdate is a ChangeSetType enum value
 	ChangeSetTypeUpdate = "UPDATE"
+
+	// ChangeSetTypeImport is a ChangeSetType enum value
+	ChangeSetTypeImport = "IMPORT"
 )
 
 const (
@@ -13434,6 +13607,24 @@ const (
 
 	// ResourceStatusUpdateComplete is a ResourceStatus enum value
 	ResourceStatusUpdateComplete = "UPDATE_COMPLETE"
+
+	// ResourceStatusImportFailed is a ResourceStatus enum value
+	ResourceStatusImportFailed = "IMPORT_FAILED"
+
+	// ResourceStatusImportComplete is a ResourceStatus enum value
+	ResourceStatusImportComplete = "IMPORT_COMPLETE"
+
+	// ResourceStatusImportInProgress is a ResourceStatus enum value
+	ResourceStatusImportInProgress = "IMPORT_IN_PROGRESS"
+
+	// ResourceStatusImportRollbackInProgress is a ResourceStatus enum value
+	ResourceStatusImportRollbackInProgress = "IMPORT_ROLLBACK_IN_PROGRESS"
+
+	// ResourceStatusImportRollbackFailed is a ResourceStatus enum value
+	ResourceStatusImportRollbackFailed = "IMPORT_ROLLBACK_FAILED"
+
+	// ResourceStatusImportRollbackComplete is a ResourceStatus enum value
+	ResourceStatusImportRollbackComplete = "IMPORT_ROLLBACK_COMPLETE"
 )
 
 const (
@@ -13590,6 +13781,21 @@ const (
 
 	// StackStatusReviewInProgress is a StackStatus enum value
 	StackStatusReviewInProgress = "REVIEW_IN_PROGRESS"
+
+	// StackStatusImportInProgress is a StackStatus enum value
+	StackStatusImportInProgress = "IMPORT_IN_PROGRESS"
+
+	// StackStatusImportComplete is a StackStatus enum value
+	StackStatusImportComplete = "IMPORT_COMPLETE"
+
+	// StackStatusImportRollbackInProgress is a StackStatus enum value
+	StackStatusImportRollbackInProgress = "IMPORT_ROLLBACK_IN_PROGRESS"
+
+	// StackStatusImportRollbackFailed is a StackStatus enum value
+	StackStatusImportRollbackFailed = "IMPORT_ROLLBACK_FAILED"
+
+	// StackStatusImportRollbackComplete is a StackStatus enum value
+	StackStatusImportRollbackComplete = "IMPORT_ROLLBACK_COMPLETE"
 )
 
 const (
diff --git a/vendor/github.com/aws/aws-sdk-go/service/cloudformation/waiters.go b/vendor/github.com/aws/aws-sdk-go/service/cloudformation/waiters.go
index afe8a1b2eb3d..cabb91cee564 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/cloudformation/waiters.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/cloudformation/waiters.go
@@ -188,6 +188,11 @@ func (c *CloudFormation) WaitUntilStackDeleteCompleteWithContext(ctx aws.Context
 				Matcher: request.PathAnyWaiterMatch, Argument: "Stacks[].StackStatus",
 				Expected: "ROLLBACK_FAILED",
 			},
+			{
+				State:   request.FailureWaiterState,
+				Matcher: request.PathAnyWaiterMatch, Argument: "Stacks[].StackStatus",
+				Expected: "UPDATE_ROLLBACK_IN_PROGRESS",
+			},
 			{
 				State:   request.FailureWaiterState,
 				Matcher: request.PathAnyWaiterMatch, Argument: "Stacks[].StackStatus",
@@ -196,7 +201,7 @@ func (c *CloudFormation) WaitUntilStackDeleteCompleteWithContext(ctx aws.Context
 			{
 				State:   request.FailureWaiterState,
 				Matcher: request.PathAnyWaiterMatch, Argument: "Stacks[].StackStatus",
-				Expected: "UPDATE_ROLLBACK_IN_PROGRESS",
+				Expected: "UPDATE_ROLLBACK_COMPLETE",
 			},
 		},
 		Logger: c.Config.Logger,
@@ -268,6 +273,82 @@ func (c *CloudFormation) WaitUntilStackExistsWithContext(ctx aws.Context, input
 	return w.WaitWithContext(ctx)
 }
 
+// WaitUntilStackImportComplete uses the AWS CloudFormation API operation
+// DescribeStacks to wait for a condition to be met before returning.
+// If the condition is not met within the max attempt window, an error will
+// be returned.
+func (c *CloudFormation) WaitUntilStackImportComplete(input *DescribeStacksInput) error {
+	return c.WaitUntilStackImportCompleteWithContext(aws.BackgroundContext(), input)
+}
+
+// WaitUntilStackImportCompleteWithContext is an extended version of WaitUntilStackImportComplete.
+// With the support for passing in a context and options to configure the
+// Waiter and the underlying request options.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *CloudFormation) WaitUntilStackImportCompleteWithContext(ctx aws.Context, input *DescribeStacksInput, opts ...request.WaiterOption) error {
+	w := request.Waiter{
+		Name:        "WaitUntilStackImportComplete",
+		MaxAttempts: 120,
+		Delay:       request.ConstantWaiterDelay(30 * time.Second),
+		Acceptors: []request.WaiterAcceptor{
+			{
+				State:   request.SuccessWaiterState,
+				Matcher: request.PathAllWaiterMatch, Argument: "Stacks[].StackStatus",
+				Expected: "IMPORT_COMPLETE",
+			},
+			{
+				State:   request.FailureWaiterState,
+				Matcher: request.PathAnyWaiterMatch, Argument: "Stacks[].StackStatus",
+				Expected: "ROLLBACK_COMPLETE",
+			},
+			{
+				State:   request.FailureWaiterState,
+				Matcher: request.PathAnyWaiterMatch, Argument: "Stacks[].StackStatus",
+				Expected: "ROLLBACK_FAILED",
+			},
+			{
+				State:   request.FailureWaiterState,
+				Matcher: request.PathAnyWaiterMatch, Argument: "Stacks[].StackStatus",
+				Expected: "IMPORT_ROLLBACK_IN_PROGRESS",
+			},
+			{
+				State:   request.FailureWaiterState,
+				Matcher: request.PathAnyWaiterMatch, Argument: "Stacks[].StackStatus",
+				Expected: "IMPORT_ROLLBACK_FAILED",
+			},
+			{
+				State:   request.FailureWaiterState,
+				Matcher: request.PathAnyWaiterMatch, Argument: "Stacks[].StackStatus",
+				Expected: "IMPORT_ROLLBACK_COMPLETE",
+			},
+			{
+				State:    request.FailureWaiterState,
+				Matcher:  request.ErrorWaiterMatch,
+				Expected: "ValidationError",
+			},
+		},
+		Logger: c.Config.Logger,
+		NewRequest: func(opts []request.Option) (*request.Request, error) {
+			var inCpy *DescribeStacksInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.DescribeStacksRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+	w.ApplyOptions(opts...)
+
+	return w.WaitWithContext(ctx)
+}
+
 // WaitUntilStackUpdateComplete uses the AWS CloudFormation API operation
 // DescribeStacks to wait for a condition to be met before returning.
 // If the condition is not met within the max attempt window, an error will
diff --git a/vendor/github.com/aws/aws-sdk-go/service/cloudsearch/api.go b/vendor/github.com/aws/aws-sdk-go/service/cloudsearch/api.go
index bff1d60da289..a39be361ffd9 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/cloudsearch/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/cloudsearch/api.go
@@ -1185,6 +1185,99 @@ func (c *CloudSearch) DescribeAvailabilityOptionsWithContext(ctx aws.Context, in
 	return out, req.Send()
 }
 
+const opDescribeDomainEndpointOptions = "DescribeDomainEndpointOptions"
+
+// DescribeDomainEndpointOptionsRequest generates a "aws/request.Request" representing the
+// client's request for the DescribeDomainEndpointOptions operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DescribeDomainEndpointOptions for more information on using the DescribeDomainEndpointOptions
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the DescribeDomainEndpointOptionsRequest method.
+//    req, resp := client.DescribeDomainEndpointOptionsRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+func (c *CloudSearch) DescribeDomainEndpointOptionsRequest(input *DescribeDomainEndpointOptionsInput) (req *request.Request, output *DescribeDomainEndpointOptionsOutput) {
+	op := &request.Operation{
+		Name:       opDescribeDomainEndpointOptions,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DescribeDomainEndpointOptionsInput{}
+	}
+
+	output = &DescribeDomainEndpointOptionsOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DescribeDomainEndpointOptions API operation for Amazon CloudSearch.
+//
+// Returns the domain's endpoint options, specifically whether all requests
+// to the domain must arrive over HTTPS. For more information, see Configuring
+// Domain Endpoint Options (http://docs.aws.amazon.com/cloudsearch/latest/developerguide/configuring-domain-endpoint-options.html)
+// in the Amazon CloudSearch Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon CloudSearch's
+// API operation DescribeDomainEndpointOptions for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeBaseException "BaseException"
+//   An error occurred while processing the request.
+//
+//   * ErrCodeInternalException "InternalException"
+//   An internal error occurred while processing the request. If this problem
+//   persists, report an issue from the Service Health Dashboard (http://status.aws.amazon.com/).
+//
+//   * ErrCodeLimitExceededException "LimitExceeded"
+//   The request was rejected because a resource limit has already been met.
+//
+//   * ErrCodeResourceNotFoundException "ResourceNotFound"
+//   The request was rejected because it attempted to reference a resource that
+//   does not exist.
+//
+//   * ErrCodeDisabledOperationException "DisabledAction"
+//   The request was rejected because it attempted an operation which is not enabled.
+//
+func (c *CloudSearch) DescribeDomainEndpointOptions(input *DescribeDomainEndpointOptionsInput) (*DescribeDomainEndpointOptionsOutput, error) {
+	req, out := c.DescribeDomainEndpointOptionsRequest(input)
+	return out, req.Send()
+}
+
+// DescribeDomainEndpointOptionsWithContext is the same as DescribeDomainEndpointOptions with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DescribeDomainEndpointOptions for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *CloudSearch) DescribeDomainEndpointOptionsWithContext(ctx aws.Context, input *DescribeDomainEndpointOptionsInput, opts ...request.Option) (*DescribeDomainEndpointOptionsOutput, error) {
+	req, out := c.DescribeDomainEndpointOptionsRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opDescribeDomains = "DescribeDomains"
 
 // DescribeDomainsRequest generates a "aws/request.Request" representing the
@@ -1953,6 +2046,9 @@ func (c *CloudSearch) UpdateAvailabilityOptionsRequest(input *UpdateAvailability
 //   * ErrCodeDisabledOperationException "DisabledAction"
 //   The request was rejected because it attempted an operation which is not enabled.
 //
+//   * ErrCodeValidationException "ValidationException"
+//   The request was rejected because it has invalid parameters.
+//
 func (c *CloudSearch) UpdateAvailabilityOptions(input *UpdateAvailabilityOptionsInput) (*UpdateAvailabilityOptionsOutput, error) {
 	req, out := c.UpdateAvailabilityOptionsRequest(input)
 	return out, req.Send()
@@ -1974,6 +2070,105 @@ func (c *CloudSearch) UpdateAvailabilityOptionsWithContext(ctx aws.Context, inpu
 	return out, req.Send()
 }
 
+const opUpdateDomainEndpointOptions = "UpdateDomainEndpointOptions"
+
+// UpdateDomainEndpointOptionsRequest generates a "aws/request.Request" representing the
+// client's request for the UpdateDomainEndpointOptions operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See UpdateDomainEndpointOptions for more information on using the UpdateDomainEndpointOptions
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the UpdateDomainEndpointOptionsRequest method.
+//    req, resp := client.UpdateDomainEndpointOptionsRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+func (c *CloudSearch) UpdateDomainEndpointOptionsRequest(input *UpdateDomainEndpointOptionsInput) (req *request.Request, output *UpdateDomainEndpointOptionsOutput) {
+	op := &request.Operation{
+		Name:       opUpdateDomainEndpointOptions,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &UpdateDomainEndpointOptionsInput{}
+	}
+
+	output = &UpdateDomainEndpointOptionsOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// UpdateDomainEndpointOptions API operation for Amazon CloudSearch.
+//
+// Updates the domain's endpoint options, specifically whether all requests
+// to the domain must arrive over HTTPS. For more information, see Configuring
+// Domain Endpoint Options (http://docs.aws.amazon.com/cloudsearch/latest/developerguide/configuring-domain-endpoint-options.html)
+// in the Amazon CloudSearch Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon CloudSearch's
+// API operation UpdateDomainEndpointOptions for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeBaseException "BaseException"
+//   An error occurred while processing the request.
+//
+//   * ErrCodeInternalException "InternalException"
+//   An internal error occurred while processing the request. If this problem
+//   persists, report an issue from the Service Health Dashboard (http://status.aws.amazon.com/).
+//
+//   * ErrCodeInvalidTypeException "InvalidType"
+//   The request was rejected because it specified an invalid type definition.
+//
+//   * ErrCodeLimitExceededException "LimitExceeded"
+//   The request was rejected because a resource limit has already been met.
+//
+//   * ErrCodeResourceNotFoundException "ResourceNotFound"
+//   The request was rejected because it attempted to reference a resource that
+//   does not exist.
+//
+//   * ErrCodeDisabledOperationException "DisabledAction"
+//   The request was rejected because it attempted an operation which is not enabled.
+//
+//   * ErrCodeValidationException "ValidationException"
+//   The request was rejected because it has invalid parameters.
+//
+func (c *CloudSearch) UpdateDomainEndpointOptions(input *UpdateDomainEndpointOptionsInput) (*UpdateDomainEndpointOptionsOutput, error) {
+	req, out := c.UpdateDomainEndpointOptionsRequest(input)
+	return out, req.Send()
+}
+
+// UpdateDomainEndpointOptionsWithContext is the same as UpdateDomainEndpointOptions with the addition of
+// the ability to pass a context and additional request options.
+//
+// See UpdateDomainEndpointOptions for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *CloudSearch) UpdateDomainEndpointOptionsWithContext(ctx aws.Context, input *UpdateDomainEndpointOptionsInput, opts ...request.Option) (*UpdateDomainEndpointOptionsOutput, error) {
+	req, out := c.UpdateDomainEndpointOptionsRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opUpdateScalingParameters = "UpdateScalingParameters"
 
 // UpdateScalingParametersRequest generates a "aws/request.Request" representing the
@@ -3715,6 +3910,85 @@ func (s *DescribeAvailabilityOptionsOutput) SetAvailabilityOptions(v *Availabili
 	return s
 }
 
+// Container for the parameters to the DescribeDomainEndpointOptions operation.
+// Specify the name of the domain you want to describe. To show the active configuration
+// and exclude any pending changes, set the Deployed option to true.
+type DescribeDomainEndpointOptionsInput struct {
+	_ struct{} `type:"structure"`
+
+	// Whether to retrieve the latest configuration (which might be in a Processing
+	// state) or the current, active configuration. Defaults to false.
+	Deployed *bool `type:"boolean"`
+
+	// A string that represents the name of a domain.
+	//
+	// DomainName is a required field
+	DomainName *string `min:"3" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s DescribeDomainEndpointOptionsInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DescribeDomainEndpointOptionsInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DescribeDomainEndpointOptionsInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DescribeDomainEndpointOptionsInput"}
+	if s.DomainName == nil {
+		invalidParams.Add(request.NewErrParamRequired("DomainName"))
+	}
+	if s.DomainName != nil && len(*s.DomainName) < 3 {
+		invalidParams.Add(request.NewErrParamMinLen("DomainName", 3))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetDeployed sets the Deployed field's value.
+func (s *DescribeDomainEndpointOptionsInput) SetDeployed(v bool) *DescribeDomainEndpointOptionsInput {
+	s.Deployed = &v
+	return s
+}
+
+// SetDomainName sets the DomainName field's value.
+func (s *DescribeDomainEndpointOptionsInput) SetDomainName(v string) *DescribeDomainEndpointOptionsInput {
+	s.DomainName = &v
+	return s
+}
+
+// The result of a DescribeDomainEndpointOptions request. Contains the status
+// and configuration of a search domain's endpoint options.
+type DescribeDomainEndpointOptionsOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The status and configuration of a search domain's endpoint options.
+	DomainEndpointOptions *DomainEndpointOptionsStatus `type:"structure"`
+}
+
+// String returns the string representation
+func (s DescribeDomainEndpointOptionsOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DescribeDomainEndpointOptionsOutput) GoString() string {
+	return s.String()
+}
+
+// SetDomainEndpointOptions sets the DomainEndpointOptions field's value.
+func (s *DescribeDomainEndpointOptionsOutput) SetDomainEndpointOptions(v *DomainEndpointOptionsStatus) *DescribeDomainEndpointOptionsOutput {
+	s.DomainEndpointOptions = v
+	return s
+}
+
 // Container for the parameters to the DescribeDomains operation. By default
 // shows the status of all domains. To restrict the response to particular domains,
 // specify the names of the domains you want to describe.
@@ -4269,6 +4543,76 @@ func (s *DocumentSuggesterOptions) SetSourceField(v string) *DocumentSuggesterOp
 	return s
 }
 
+// The domain's endpoint options.
+type DomainEndpointOptions struct {
+	_ struct{} `type:"structure"`
+
+	// Whether the domain is HTTPS only enabled.
+	EnforceHTTPS *bool `type:"boolean"`
+
+	// The minimum required TLS version
+	TLSSecurityPolicy *string `type:"string" enum:"TLSSecurityPolicy"`
+}
+
+// String returns the string representation
+func (s DomainEndpointOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DomainEndpointOptions) GoString() string {
+	return s.String()
+}
+
+// SetEnforceHTTPS sets the EnforceHTTPS field's value.
+func (s *DomainEndpointOptions) SetEnforceHTTPS(v bool) *DomainEndpointOptions {
+	s.EnforceHTTPS = &v
+	return s
+}
+
+// SetTLSSecurityPolicy sets the TLSSecurityPolicy field's value.
+func (s *DomainEndpointOptions) SetTLSSecurityPolicy(v string) *DomainEndpointOptions {
+	s.TLSSecurityPolicy = &v
+	return s
+}
+
+// The configuration and status of the domain's endpoint options.
+type DomainEndpointOptionsStatus struct {
+	_ struct{} `type:"structure"`
+
+	// The domain endpoint options configured for the domain.
+	//
+	// Options is a required field
+	Options *DomainEndpointOptions `type:"structure" required:"true"`
+
+	// The status of the configured domain endpoint options.
+	//
+	// Status is a required field
+	Status *OptionStatus `type:"structure" required:"true"`
+}
+
+// String returns the string representation
+func (s DomainEndpointOptionsStatus) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DomainEndpointOptionsStatus) GoString() string {
+	return s.String()
+}
+
+// SetOptions sets the Options field's value.
+func (s *DomainEndpointOptionsStatus) SetOptions(v *DomainEndpointOptions) *DomainEndpointOptionsStatus {
+	s.Options = v
+	return s
+}
+
+// SetStatus sets the Status field's value.
+func (s *DomainEndpointOptionsStatus) SetStatus(v *OptionStatus) *DomainEndpointOptionsStatus {
+	s.Status = v
+	return s
+}
+
 // The current status of the search domain.
 type DomainStatus struct {
 	_ struct{} `type:"structure"`
@@ -6005,6 +6349,91 @@ func (s *UpdateAvailabilityOptionsOutput) SetAvailabilityOptions(v *Availability
 	return s
 }
 
+// Container for the parameters to the UpdateDomainEndpointOptions operation.
+// Specifies the name of the domain you want to update and the domain endpoint
+// options.
+type UpdateDomainEndpointOptionsInput struct {
+	_ struct{} `type:"structure"`
+
+	// Whether to require that all requests to the domain arrive over HTTPS. We
+	// recommend Policy-Min-TLS-1-2-2019-07 for TLSSecurityPolicy. For compatibility
+	// with older clients, the default is Policy-Min-TLS-1-0-2019-07.
+	//
+	// DomainEndpointOptions is a required field
+	DomainEndpointOptions *DomainEndpointOptions `type:"structure" required:"true"`
+
+	// A string that represents the name of a domain.
+	//
+	// DomainName is a required field
+	DomainName *string `min:"3" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s UpdateDomainEndpointOptionsInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateDomainEndpointOptionsInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *UpdateDomainEndpointOptionsInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "UpdateDomainEndpointOptionsInput"}
+	if s.DomainEndpointOptions == nil {
+		invalidParams.Add(request.NewErrParamRequired("DomainEndpointOptions"))
+	}
+	if s.DomainName == nil {
+		invalidParams.Add(request.NewErrParamRequired("DomainName"))
+	}
+	if s.DomainName != nil && len(*s.DomainName) < 3 {
+		invalidParams.Add(request.NewErrParamMinLen("DomainName", 3))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetDomainEndpointOptions sets the DomainEndpointOptions field's value.
+func (s *UpdateDomainEndpointOptionsInput) SetDomainEndpointOptions(v *DomainEndpointOptions) *UpdateDomainEndpointOptionsInput {
+	s.DomainEndpointOptions = v
+	return s
+}
+
+// SetDomainName sets the DomainName field's value.
+func (s *UpdateDomainEndpointOptionsInput) SetDomainName(v string) *UpdateDomainEndpointOptionsInput {
+	s.DomainName = &v
+	return s
+}
+
+// The result of a UpdateDomainEndpointOptions request. Contains the configuration
+// and status of the domain's endpoint options.
+type UpdateDomainEndpointOptionsOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The newly-configured domain endpoint options.
+	DomainEndpointOptions *DomainEndpointOptionsStatus `type:"structure"`
+}
+
+// String returns the string representation
+func (s UpdateDomainEndpointOptionsOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateDomainEndpointOptionsOutput) GoString() string {
+	return s.String()
+}
+
+// SetDomainEndpointOptions sets the DomainEndpointOptions field's value.
+func (s *UpdateDomainEndpointOptionsOutput) SetDomainEndpointOptions(v *DomainEndpointOptionsStatus) *UpdateDomainEndpointOptionsOutput {
+	s.DomainEndpointOptions = v
+	return s
+}
+
 // Container for the parameters to the UpdateScalingParameters operation. Specifies
 // the name of the domain you want to update and the scaling parameters you
 // want to configure.
@@ -6408,3 +6837,12 @@ const (
 	// SuggesterFuzzyMatchingHigh is a SuggesterFuzzyMatching enum value
 	SuggesterFuzzyMatchingHigh = "high"
 )
+
+// The minimum required TLS version.
+const (
+	// TLSSecurityPolicyPolicyMinTls10201907 is a TLSSecurityPolicy enum value
+	TLSSecurityPolicyPolicyMinTls10201907 = "Policy-Min-TLS-1-0-2019-07"
+
+	// TLSSecurityPolicyPolicyMinTls12201907 is a TLSSecurityPolicy enum value
+	TLSSecurityPolicyPolicyMinTls12201907 = "Policy-Min-TLS-1-2-2019-07"
+)
diff --git a/vendor/github.com/aws/aws-sdk-go/service/cloudsearch/errors.go b/vendor/github.com/aws/aws-sdk-go/service/cloudsearch/errors.go
index f0ed2f1e2fc6..b807f29ab043 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/cloudsearch/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/cloudsearch/errors.go
@@ -41,4 +41,10 @@ const (
 	// The request was rejected because it attempted to reference a resource that
 	// does not exist.
 	ErrCodeResourceNotFoundException = "ResourceNotFound"
+
+	// ErrCodeValidationException for service response error code
+	// "ValidationException".
+	//
+	// The request was rejected because it has invalid parameters.
+	ErrCodeValidationException = "ValidationException"
 )
diff --git a/vendor/github.com/aws/aws-sdk-go/service/codepipeline/api.go b/vendor/github.com/aws/aws-sdk-go/service/codepipeline/api.go
index 9838d3012c8f..372dfb8fa486 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/codepipeline/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/codepipeline/api.go
@@ -2717,6 +2717,9 @@ func (c *CodePipeline) PutJobSuccessResultRequest(input *PutJobSuccessResultInpu
 //   * ErrCodeInvalidJobStateException "InvalidJobStateException"
 //   The job state was specified in an invalid format.
 //
+//   * ErrCodeOutputVariablesSizeExceededException "OutputVariablesSizeExceededException"
+//   Exceeded the total size limit for all variables in the pipeline.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/codepipeline-2015-07-09/PutJobSuccessResult
 func (c *CodePipeline) PutJobSuccessResult(input *PutJobSuccessResultInput) (*PutJobSuccessResultOutput, error) {
 	req, out := c.PutJobSuccessResultRequest(input)
@@ -4032,6 +4035,10 @@ type ActionDeclaration struct {
 	// Name is a required field
 	Name *string `locationName:"name" min:"1" type:"string" required:"true"`
 
+	// The variable namespace associated with the action. All variables produced
+	// as output by this action fall under this namespace.
+	Namespace *string `locationName:"namespace" min:"1" type:"string"`
+
 	// The name or ID of the result of the action declaration, such as a test or
 	// build artifact.
 	OutputArtifacts []*OutputArtifact `locationName:"outputArtifacts" type:"list"`
@@ -4069,6 +4076,9 @@ func (s *ActionDeclaration) Validate() error {
 	if s.Name != nil && len(*s.Name) < 1 {
 		invalidParams.Add(request.NewErrParamMinLen("Name", 1))
 	}
+	if s.Namespace != nil && len(*s.Namespace) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Namespace", 1))
+	}
 	if s.Region != nil && len(*s.Region) < 4 {
 		invalidParams.Add(request.NewErrParamMinLen("Region", 4))
 	}
@@ -4131,6 +4141,12 @@ func (s *ActionDeclaration) SetName(v string) *ActionDeclaration {
 	return s
 }
 
+// SetNamespace sets the Namespace field's value.
+func (s *ActionDeclaration) SetNamespace(v string) *ActionDeclaration {
+	s.Namespace = &v
+	return s
+}
+
 // SetOutputArtifacts sets the OutputArtifacts field's value.
 func (s *ActionDeclaration) SetOutputArtifacts(v []*OutputArtifact) *ActionDeclaration {
 	s.OutputArtifacts = v
@@ -4401,9 +4417,17 @@ type ActionExecutionInput struct {
 	// Details of input artifacts of the action that correspond to the action execution.
 	InputArtifacts []*ArtifactDetail `locationName:"inputArtifacts" type:"list"`
 
+	// The variable namespace associated with the action. All variables produced
+	// as output by this action fall under this namespace.
+	Namespace *string `locationName:"namespace" min:"1" type:"string"`
+
 	// The AWS Region for the action, such as us-east-1.
 	Region *string `locationName:"region" min:"4" type:"string"`
 
+	// Configuration data for an action execution with all variable references replaced
+	// with their real values for the execution.
+	ResolvedConfiguration map[string]*string `locationName:"resolvedConfiguration" type:"map"`
+
 	// The ARN of the IAM service role that performs the declared action. This is
 	// assumed through the roleArn for the pipeline.
 	RoleArn *string `locationName:"roleArn" type:"string"`
@@ -4437,12 +4461,24 @@ func (s *ActionExecutionInput) SetInputArtifacts(v []*ArtifactDetail) *ActionExe
 	return s
 }
 
+// SetNamespace sets the Namespace field's value.
+func (s *ActionExecutionInput) SetNamespace(v string) *ActionExecutionInput {
+	s.Namespace = &v
+	return s
+}
+
 // SetRegion sets the Region field's value.
 func (s *ActionExecutionInput) SetRegion(v string) *ActionExecutionInput {
 	s.Region = &v
 	return s
 }
 
+// SetResolvedConfiguration sets the ResolvedConfiguration field's value.
+func (s *ActionExecutionInput) SetResolvedConfiguration(v map[string]*string) *ActionExecutionInput {
+	s.ResolvedConfiguration = v
+	return s
+}
+
 // SetRoleArn sets the RoleArn field's value.
 func (s *ActionExecutionInput) SetRoleArn(v string) *ActionExecutionInput {
 	s.RoleArn = &v
@@ -4459,6 +4495,10 @@ type ActionExecutionOutput struct {
 
 	// Details of output artifacts of the action that correspond to the action execution.
 	OutputArtifacts []*ArtifactDetail `locationName:"outputArtifacts" type:"list"`
+
+	// The outputVariables field shows the key-value pairs that were output as part
+	// of that execution.
+	OutputVariables map[string]*string `locationName:"outputVariables" type:"map"`
 }
 
 // String returns the string representation
@@ -4483,6 +4523,12 @@ func (s *ActionExecutionOutput) SetOutputArtifacts(v []*ArtifactDetail) *ActionE
 	return s
 }
 
+// SetOutputVariables sets the OutputVariables field's value.
+func (s *ActionExecutionOutput) SetOutputVariables(v map[string]*string) *ActionExecutionOutput {
+	s.OutputVariables = v
+	return s
+}
+
 // Execution result information, such as the external execution ID.
 type ActionExecutionResult struct {
 	_ struct{} `type:"structure"`
@@ -8777,6 +8823,11 @@ type PutJobSuccessResultInput struct {
 	//
 	// JobId is a required field
 	JobId *string `locationName:"jobId" type:"string" required:"true"`
+
+	// Key-value pairs produced as output by a job worker that can be made available
+	// to a downstream action configuration. outputVariables can be included only
+	// when there is no continuation token on the request.
+	OutputVariables map[string]*string `locationName:"outputVariables" type:"map"`
 }
 
 // String returns the string representation
@@ -8839,6 +8890,12 @@ func (s *PutJobSuccessResultInput) SetJobId(v string) *PutJobSuccessResultInput
 	return s
 }
 
+// SetOutputVariables sets the OutputVariables field's value.
+func (s *PutJobSuccessResultInput) SetOutputVariables(v map[string]*string) *PutJobSuccessResultInput {
+	s.OutputVariables = v
+	return s
+}
+
 type PutJobSuccessResultOutput struct {
 	_ struct{} `type:"structure"`
 }
diff --git a/vendor/github.com/aws/aws-sdk-go/service/codepipeline/errors.go b/vendor/github.com/aws/aws-sdk-go/service/codepipeline/errors.go
index ebe75cea7698..4a279e6dbab2 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/codepipeline/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/codepipeline/errors.go
@@ -133,6 +133,12 @@ const (
 	// associated with the request is out of date.
 	ErrCodeNotLatestPipelineExecutionException = "NotLatestPipelineExecutionException"
 
+	// ErrCodeOutputVariablesSizeExceededException for service response error code
+	// "OutputVariablesSizeExceededException".
+	//
+	// Exceeded the total size limit for all variables in the pipeline.
+	ErrCodeOutputVariablesSizeExceededException = "OutputVariablesSizeExceededException"
+
 	// ErrCodePipelineExecutionNotFoundException for service response error code
 	// "PipelineExecutionNotFoundException".
 	//
diff --git a/vendor/github.com/aws/aws-sdk-go/service/dlm/api.go b/vendor/github.com/aws/aws-sdk-go/service/dlm/api.go
index 6f6e1bb03ff2..e3df1b688444 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/dlm/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/dlm/api.go
@@ -361,6 +361,263 @@ func (c *DLM) GetLifecyclePolicyWithContext(ctx aws.Context, input *GetLifecycle
 	return out, req.Send()
 }
 
+const opListTagsForResource = "ListTagsForResource"
+
+// ListTagsForResourceRequest generates a "aws/request.Request" representing the
+// client's request for the ListTagsForResource operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ListTagsForResource for more information on using the ListTagsForResource
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the ListTagsForResourceRequest method.
+//    req, resp := client.ListTagsForResourceRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/dlm-2018-01-12/ListTagsForResource
+func (c *DLM) ListTagsForResourceRequest(input *ListTagsForResourceInput) (req *request.Request, output *ListTagsForResourceOutput) {
+	op := &request.Operation{
+		Name:       opListTagsForResource,
+		HTTPMethod: "GET",
+		HTTPPath:   "/tags/{resourceArn}",
+	}
+
+	if input == nil {
+		input = &ListTagsForResourceInput{}
+	}
+
+	output = &ListTagsForResourceOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ListTagsForResource API operation for Amazon Data Lifecycle Manager.
+//
+// Lists the tags for the specified resource.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Data Lifecycle Manager's
+// API operation ListTagsForResource for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeInternalServerException "InternalServerException"
+//   The service failed in an unexpected way.
+//
+//   * ErrCodeInvalidRequestException "InvalidRequestException"
+//   Bad request. The request is missing required parameters or has invalid parameters.
+//
+//   * ErrCodeResourceNotFoundException "ResourceNotFoundException"
+//   A requested resource was not found.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/dlm-2018-01-12/ListTagsForResource
+func (c *DLM) ListTagsForResource(input *ListTagsForResourceInput) (*ListTagsForResourceOutput, error) {
+	req, out := c.ListTagsForResourceRequest(input)
+	return out, req.Send()
+}
+
+// ListTagsForResourceWithContext is the same as ListTagsForResource with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ListTagsForResource for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *DLM) ListTagsForResourceWithContext(ctx aws.Context, input *ListTagsForResourceInput, opts ...request.Option) (*ListTagsForResourceOutput, error) {
+	req, out := c.ListTagsForResourceRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opTagResource = "TagResource"
+
+// TagResourceRequest generates a "aws/request.Request" representing the
+// client's request for the TagResource operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See TagResource for more information on using the TagResource
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the TagResourceRequest method.
+//    req, resp := client.TagResourceRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/dlm-2018-01-12/TagResource
+func (c *DLM) TagResourceRequest(input *TagResourceInput) (req *request.Request, output *TagResourceOutput) {
+	op := &request.Operation{
+		Name:       opTagResource,
+		HTTPMethod: "POST",
+		HTTPPath:   "/tags/{resourceArn}",
+	}
+
+	if input == nil {
+		input = &TagResourceInput{}
+	}
+
+	output = &TagResourceOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(restjson.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// TagResource API operation for Amazon Data Lifecycle Manager.
+//
+// Adds the specified tags to the specified resource.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Data Lifecycle Manager's
+// API operation TagResource for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeInternalServerException "InternalServerException"
+//   The service failed in an unexpected way.
+//
+//   * ErrCodeInvalidRequestException "InvalidRequestException"
+//   Bad request. The request is missing required parameters or has invalid parameters.
+//
+//   * ErrCodeResourceNotFoundException "ResourceNotFoundException"
+//   A requested resource was not found.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/dlm-2018-01-12/TagResource
+func (c *DLM) TagResource(input *TagResourceInput) (*TagResourceOutput, error) {
+	req, out := c.TagResourceRequest(input)
+	return out, req.Send()
+}
+
+// TagResourceWithContext is the same as TagResource with the addition of
+// the ability to pass a context and additional request options.
+//
+// See TagResource for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *DLM) TagResourceWithContext(ctx aws.Context, input *TagResourceInput, opts ...request.Option) (*TagResourceOutput, error) {
+	req, out := c.TagResourceRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opUntagResource = "UntagResource"
+
+// UntagResourceRequest generates a "aws/request.Request" representing the
+// client's request for the UntagResource operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See UntagResource for more information on using the UntagResource
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the UntagResourceRequest method.
+//    req, resp := client.UntagResourceRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/dlm-2018-01-12/UntagResource
+func (c *DLM) UntagResourceRequest(input *UntagResourceInput) (req *request.Request, output *UntagResourceOutput) {
+	op := &request.Operation{
+		Name:       opUntagResource,
+		HTTPMethod: "DELETE",
+		HTTPPath:   "/tags/{resourceArn}",
+	}
+
+	if input == nil {
+		input = &UntagResourceInput{}
+	}
+
+	output = &UntagResourceOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(restjson.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// UntagResource API operation for Amazon Data Lifecycle Manager.
+//
+// Removes the specified tags from the specified resource.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Data Lifecycle Manager's
+// API operation UntagResource for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeInternalServerException "InternalServerException"
+//   The service failed in an unexpected way.
+//
+//   * ErrCodeInvalidRequestException "InvalidRequestException"
+//   Bad request. The request is missing required parameters or has invalid parameters.
+//
+//   * ErrCodeResourceNotFoundException "ResourceNotFoundException"
+//   A requested resource was not found.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/dlm-2018-01-12/UntagResource
+func (c *DLM) UntagResource(input *UntagResourceInput) (*UntagResourceOutput, error) {
+	req, out := c.UntagResourceRequest(input)
+	return out, req.Send()
+}
+
+// UntagResourceWithContext is the same as UntagResource with the addition of
+// the ability to pass a context and additional request options.
+//
+// See UntagResource for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *DLM) UntagResourceWithContext(ctx aws.Context, input *UntagResourceInput, opts ...request.Option) (*UntagResourceOutput, error) {
+	req, out := c.UntagResourceRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opUpdateLifecyclePolicy = "UpdateLifecyclePolicy"
 
 // UpdateLifecyclePolicyRequest generates a "aws/request.Request" representing the
@@ -467,8 +724,6 @@ type CreateLifecyclePolicyInput struct {
 
 	// The configuration details of the lifecycle policy.
 	//
-	// Target tags cannot be re-used across lifecycle policies.
-	//
 	// PolicyDetails is a required field
 	PolicyDetails *PolicyDetails `type:"structure" required:"true"`
 
@@ -476,6 +731,9 @@ type CreateLifecyclePolicyInput struct {
 	//
 	// State is a required field
 	State *string `type:"string" required:"true" enum:"SettablePolicyStateValues"`
+
+	// The tags to apply to the lifecycle policy during creation.
+	Tags map[string]*string `min:"1" type:"map"`
 }
 
 // String returns the string representation
@@ -503,6 +761,9 @@ func (s *CreateLifecyclePolicyInput) Validate() error {
 	if s.State == nil {
 		invalidParams.Add(request.NewErrParamRequired("State"))
 	}
+	if s.Tags != nil && len(s.Tags) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Tags", 1))
+	}
 	if s.PolicyDetails != nil {
 		if err := s.PolicyDetails.Validate(); err != nil {
 			invalidParams.AddNested("PolicyDetails", err.(request.ErrInvalidParams))
@@ -539,6 +800,12 @@ func (s *CreateLifecyclePolicyInput) SetState(v string) *CreateLifecyclePolicyIn
 	return s
 }
 
+// SetTags sets the Tags field's value.
+func (s *CreateLifecyclePolicyInput) SetTags(v map[string]*string) *CreateLifecyclePolicyInput {
+	s.Tags = v
+	return s
+}
+
 type CreateLifecyclePolicyOutput struct {
 	_ struct{} `type:"structure"`
 
@@ -871,6 +1138,9 @@ type LifecyclePolicy struct {
 	// specified by the lifecycle policy.
 	ExecutionRoleArn *string `type:"string"`
 
+	// The Amazon Resource Name (ARN) of the policy.
+	PolicyArn *string `type:"string"`
+
 	// The configuration of the lifecycle policy
 	PolicyDetails *PolicyDetails `type:"structure"`
 
@@ -879,6 +1149,12 @@ type LifecyclePolicy struct {
 
 	// The activation state of the lifecycle policy.
 	State *string `type:"string" enum:"GettablePolicyStateValues"`
+
+	// The description of the status.
+	StatusMessage *string `type:"string"`
+
+	// The tags.
+	Tags map[string]*string `min:"1" type:"map"`
 }
 
 // String returns the string representation
@@ -915,6 +1191,12 @@ func (s *LifecyclePolicy) SetExecutionRoleArn(v string) *LifecyclePolicy {
 	return s
 }
 
+// SetPolicyArn sets the PolicyArn field's value.
+func (s *LifecyclePolicy) SetPolicyArn(v string) *LifecyclePolicy {
+	s.PolicyArn = &v
+	return s
+}
+
 // SetPolicyDetails sets the PolicyDetails field's value.
 func (s *LifecyclePolicy) SetPolicyDetails(v *PolicyDetails) *LifecyclePolicy {
 	s.PolicyDetails = v
@@ -933,6 +1215,18 @@ func (s *LifecyclePolicy) SetState(v string) *LifecyclePolicy {
 	return s
 }
 
+// SetStatusMessage sets the StatusMessage field's value.
+func (s *LifecyclePolicy) SetStatusMessage(v string) *LifecyclePolicy {
+	s.StatusMessage = &v
+	return s
+}
+
+// SetTags sets the Tags field's value.
+func (s *LifecyclePolicy) SetTags(v map[string]*string) *LifecyclePolicy {
+	s.Tags = v
+	return s
+}
+
 // Summary information about a lifecycle policy.
 type LifecyclePolicySummary struct {
 	_ struct{} `type:"structure"`
@@ -945,6 +1239,9 @@ type LifecyclePolicySummary struct {
 
 	// The activation state of the lifecycle policy.
 	State *string `type:"string" enum:"GettablePolicyStateValues"`
+
+	// The tags.
+	Tags map[string]*string `min:"1" type:"map"`
 }
 
 // String returns the string representation
@@ -975,6 +1272,76 @@ func (s *LifecyclePolicySummary) SetState(v string) *LifecyclePolicySummary {
 	return s
 }
 
+// SetTags sets the Tags field's value.
+func (s *LifecyclePolicySummary) SetTags(v map[string]*string) *LifecyclePolicySummary {
+	s.Tags = v
+	return s
+}
+
+type ListTagsForResourceInput struct {
+	_ struct{} `type:"structure"`
+
+	// The Amazon Resource Name (ARN) of the resource.
+	//
+	// ResourceArn is a required field
+	ResourceArn *string `location:"uri" locationName:"resourceArn" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s ListTagsForResourceInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListTagsForResourceInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ListTagsForResourceInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ListTagsForResourceInput"}
+	if s.ResourceArn == nil {
+		invalidParams.Add(request.NewErrParamRequired("ResourceArn"))
+	}
+	if s.ResourceArn != nil && len(*s.ResourceArn) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("ResourceArn", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetResourceArn sets the ResourceArn field's value.
+func (s *ListTagsForResourceInput) SetResourceArn(v string) *ListTagsForResourceInput {
+	s.ResourceArn = &v
+	return s
+}
+
+type ListTagsForResourceOutput struct {
+	_ struct{} `type:"structure"`
+
+	// Information about the tags.
+	Tags map[string]*string `min:"1" type:"map"`
+}
+
+// String returns the string representation
+func (s ListTagsForResourceOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListTagsForResourceOutput) GoString() string {
+	return s.String()
+}
+
+// SetTags sets the Tags field's value.
+func (s *ListTagsForResourceOutput) SetTags(v map[string]*string) *ListTagsForResourceOutput {
+	s.Tags = v
+	return s
+}
+
 // Optional parameters that can be added to the policy. The set of valid parameters
 // depends on the combination of policyType and resourceType values.
 type Parameters struct {
@@ -1311,6 +1678,150 @@ func (s *Tag) SetValue(v string) *Tag {
 	return s
 }
 
+type TagResourceInput struct {
+	_ struct{} `type:"structure"`
+
+	// The Amazon Resource Name (ARN) of the resource.
+	//
+	// ResourceArn is a required field
+	ResourceArn *string `location:"uri" locationName:"resourceArn" type:"string" required:"true"`
+
+	// One or more tags.
+	//
+	// Tags is a required field
+	Tags map[string]*string `min:"1" type:"map" required:"true"`
+}
+
+// String returns the string representation
+func (s TagResourceInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s TagResourceInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *TagResourceInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "TagResourceInput"}
+	if s.ResourceArn == nil {
+		invalidParams.Add(request.NewErrParamRequired("ResourceArn"))
+	}
+	if s.ResourceArn != nil && len(*s.ResourceArn) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("ResourceArn", 1))
+	}
+	if s.Tags == nil {
+		invalidParams.Add(request.NewErrParamRequired("Tags"))
+	}
+	if s.Tags != nil && len(s.Tags) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Tags", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetResourceArn sets the ResourceArn field's value.
+func (s *TagResourceInput) SetResourceArn(v string) *TagResourceInput {
+	s.ResourceArn = &v
+	return s
+}
+
+// SetTags sets the Tags field's value.
+func (s *TagResourceInput) SetTags(v map[string]*string) *TagResourceInput {
+	s.Tags = v
+	return s
+}
+
+type TagResourceOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s TagResourceOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s TagResourceOutput) GoString() string {
+	return s.String()
+}
+
+type UntagResourceInput struct {
+	_ struct{} `type:"structure"`
+
+	// The Amazon Resource Name (ARN) of the resource.
+	//
+	// ResourceArn is a required field
+	ResourceArn *string `location:"uri" locationName:"resourceArn" type:"string" required:"true"`
+
+	// The tag keys.
+	//
+	// TagKeys is a required field
+	TagKeys []*string `location:"querystring" locationName:"tagKeys" min:"1" type:"list" required:"true"`
+}
+
+// String returns the string representation
+func (s UntagResourceInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UntagResourceInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *UntagResourceInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "UntagResourceInput"}
+	if s.ResourceArn == nil {
+		invalidParams.Add(request.NewErrParamRequired("ResourceArn"))
+	}
+	if s.ResourceArn != nil && len(*s.ResourceArn) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("ResourceArn", 1))
+	}
+	if s.TagKeys == nil {
+		invalidParams.Add(request.NewErrParamRequired("TagKeys"))
+	}
+	if s.TagKeys != nil && len(s.TagKeys) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("TagKeys", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetResourceArn sets the ResourceArn field's value.
+func (s *UntagResourceInput) SetResourceArn(v string) *UntagResourceInput {
+	s.ResourceArn = &v
+	return s
+}
+
+// SetTagKeys sets the TagKeys field's value.
+func (s *UntagResourceInput) SetTagKeys(v []*string) *UntagResourceInput {
+	s.TagKeys = v
+	return s
+}
+
+type UntagResourceOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s UntagResourceOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UntagResourceOutput) GoString() string {
+	return s.String()
+}
+
 type UpdateLifecyclePolicyInput struct {
 	_ struct{} `type:"structure"`
 
@@ -1321,9 +1832,8 @@ type UpdateLifecyclePolicyInput struct {
 	// specified by the lifecycle policy.
 	ExecutionRoleArn *string `type:"string"`
 
-	// The configuration of the lifecycle policy.
-	//
-	// Target tags cannot be re-used across policies.
+	// The configuration of the lifecycle policy. You cannot update the policy type
+	// or the resource type.
 	PolicyDetails *PolicyDetails `type:"structure"`
 
 	// The identifier of the lifecycle policy.
diff --git a/vendor/github.com/aws/aws-sdk-go/service/dynamodb/api.go b/vendor/github.com/aws/aws-sdk-go/service/dynamodb/api.go
index 8c889ff34554..51e419e94927 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/dynamodb/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/dynamodb/api.go
@@ -3905,16 +3905,6 @@ func (c *DynamoDB) TransactGetItemsRequest(input *TransactGetItemsInput) (req *r
 // cannot retrieve items from tables in more than one AWS account or Region.
 // The aggregate size of the items in the transaction cannot exceed 4 MB.
 //
-// All AWS Regions and AWS GovCloud (US) support up to 25 items per transaction
-// with up to 4 MB of data, except the following AWS Regions:
-//
-//    * China (Beijing)
-//
-//    * China (Ningxia)
-//
-// The China (Beijing) and China (Ningxia) Regions support up to 10 items per
-// transaction with up to 4 MB of data.
-//
 // DynamoDB rejects the entire TransactGetItems request if any of the following
 // is true:
 //
@@ -3960,8 +3950,6 @@ func (c *DynamoDB) TransactGetItemsRequest(input *TransactGetItemsInput) (req *r
 //      index (LSI) becomes too large, or a similar validation error occurs because
 //      of changes made by the transaction.
 //
-//      * The aggregate size of the items in the transaction exceeds 4 MBs.
-//
 //      * There is a user error, such as an invalid data format.
 //
 //   DynamoDB cancels a TransactGetItems request under the following circumstances:
@@ -3976,8 +3964,6 @@ func (c *DynamoDB) TransactGetItemsRequest(input *TransactGetItemsInput) (req *r
 //      * There is insufficient provisioned capacity for the transaction to be
 //      completed.
 //
-//      * The aggregate size of the items in the transaction exceeds 4 MBs.
-//
 //      * There is a user error, such as an invalid data format.
 //
 //   If using Java, DynamoDB lists the cancellation reasons on the CancellationReasons
@@ -4039,6 +4025,11 @@ func (c *DynamoDB) TransactGetItemsRequest(input *TransactGetItemsInput) (req *r
 //   Exponential Backoff (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Programming.Errors.html#Programming.Errors.RetryAndBackoff)
 //   in the Amazon DynamoDB Developer Guide.
 //
+//   * ErrCodeRequestLimitExceeded "RequestLimitExceeded"
+//   Throughput exceeds the current throughput limit for your account. Please
+//   contact AWS Support at AWS Support (https://aws.amazon.com/support) to request
+//   a limit increase.
+//
 //   * ErrCodeInternalServerError "InternalServerError"
 //   An error occurred on the server side.
 //
@@ -4136,16 +4127,6 @@ func (c *DynamoDB) TransactWriteItemsRequest(input *TransactWriteItemsInput) (re
 // item. The aggregate size of the items in the transaction cannot exceed 4
 // MB.
 //
-// All AWS Regions and AWS GovCloud (US) support up to 25 items per transaction
-// with up to 4 MB of data, except the following AWS Regions:
-//
-//    * China (Beijing)
-//
-//    * China (Ningxia)
-//
-// The China (Beijing) and China (Ningxia) Regions support up to 10 items per
-// transaction with up to 4 MB of data.
-//
 // The actions are completed atomically so that either all of them succeed,
 // or all of them fail. They are defined by the following objects:
 //
@@ -4226,8 +4207,6 @@ func (c *DynamoDB) TransactWriteItemsRequest(input *TransactWriteItemsInput) (re
 //      index (LSI) becomes too large, or a similar validation error occurs because
 //      of changes made by the transaction.
 //
-//      * The aggregate size of the items in the transaction exceeds 4 MBs.
-//
 //      * There is a user error, such as an invalid data format.
 //
 //   DynamoDB cancels a TransactGetItems request under the following circumstances:
@@ -4242,8 +4221,6 @@ func (c *DynamoDB) TransactWriteItemsRequest(input *TransactWriteItemsInput) (re
 //      * There is insufficient provisioned capacity for the transaction to be
 //      completed.
 //
-//      * The aggregate size of the items in the transaction exceeds 4 MBs.
-//
 //      * There is a user error, such as an invalid data format.
 //
 //   If using Java, DynamoDB lists the cancellation reasons on the CancellationReasons
@@ -4312,6 +4289,11 @@ func (c *DynamoDB) TransactWriteItemsRequest(input *TransactWriteItemsInput) (re
 //   Exponential Backoff (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Programming.Errors.html#Programming.Errors.RetryAndBackoff)
 //   in the Amazon DynamoDB Developer Guide.
 //
+//   * ErrCodeRequestLimitExceeded "RequestLimitExceeded"
+//   Throughput exceeds the current throughput limit for your account. Please
+//   contact AWS Support at AWS Support (https://aws.amazon.com/support) to request
+//   a limit increase.
+//
 //   * ErrCodeInternalServerError "InternalServerError"
 //   An error occurred on the server side.
 //
@@ -5603,7 +5585,7 @@ func (s *AutoScalingPolicyDescription) SetTargetTrackingScalingPolicyConfigurati
 	return s
 }
 
-// Represents the autoscaling policy to be modified.
+// Represents the auto scaling policy to be modified.
 type AutoScalingPolicyUpdate struct {
 	_ struct{} `type:"structure"`
 
@@ -5659,15 +5641,15 @@ func (s *AutoScalingPolicyUpdate) SetTargetTrackingScalingPolicyConfiguration(v
 	return s
 }
 
-// Represents the autoscaling settings for a global table or global secondary
+// Represents the auto scaling settings for a global table or global secondary
 // index.
 type AutoScalingSettingsDescription struct {
 	_ struct{} `type:"structure"`
 
-	// Disabled autoscaling for this global table or global secondary index.
+	// Disabled auto scaling for this global table or global secondary index.
 	AutoScalingDisabled *bool `type:"boolean"`
 
-	// Role ARN used for configuring autoScaling policy.
+	// Role ARN used for configuring the auto scaling policy.
 	AutoScalingRoleArn *string `type:"string"`
 
 	// The maximum capacity units that a global table or global secondary index
@@ -5722,15 +5704,15 @@ func (s *AutoScalingSettingsDescription) SetScalingPolicies(v []*AutoScalingPoli
 	return s
 }
 
-// Represents the autoscaling settings to be modified for a global table or
+// Represents the auto scaling settings to be modified for a global table or
 // global secondary index.
 type AutoScalingSettingsUpdate struct {
 	_ struct{} `type:"structure"`
 
-	// Disabled autoscaling for this global table or global secondary index.
+	// Disabled auto scaling for this global table or global secondary index.
 	AutoScalingDisabled *bool `type:"boolean"`
 
-	// Role ARN used for configuring autoscaling policy.
+	// Role ARN used for configuring auto scaling policy.
 	AutoScalingRoleArn *string `min:"1" type:"string"`
 
 	// The maximum capacity units that a global table or global secondary index
@@ -5826,7 +5808,7 @@ type AutoScalingTargetTrackingScalingPolicyConfigurationDescription struct {
 	// subsequent scale in requests until it has expired. You should scale in conservatively
 	// to protect your application's availability. However, if another alarm triggers
 	// a scale out policy during the cooldown period after a scale-in, application
-	// autoscaling scales out your scalable target immediately.
+	// auto scaling scales out your scalable target immediately.
 	ScaleInCooldown *int64 `type:"integer"`
 
 	// The amount of time, in seconds, after a scale out activity completes before
@@ -5894,7 +5876,7 @@ type AutoScalingTargetTrackingScalingPolicyConfigurationUpdate struct {
 	// subsequent scale in requests until it has expired. You should scale in conservatively
 	// to protect your application's availability. However, if another alarm triggers
 	// a scale out policy during the cooldown period after a scale-in, application
-	// autoscaling scales out your scalable target immediately.
+	// auto scaling scales out your scalable target immediately.
 	ScaleInCooldown *int64 `type:"integer"`
 
 	// The amount of time, in seconds, after a scale out activity completes before
@@ -6897,7 +6879,7 @@ func (s *Condition) SetComparisonOperator(v string) *Condition {
 }
 
 // Represents a request to perform a check that an item exists or to check the
-// condition of specific attributes of the item..
+// condition of specific attributes of the item.
 type ConditionCheck struct {
 	_ struct{} `type:"structure"`
 
@@ -7388,7 +7370,7 @@ func (s *CreateGlobalTableOutput) SetGlobalTableDescription(v *GlobalTableDescri
 type CreateReplicaAction struct {
 	_ struct{} `type:"structure"`
 
-	// The region of the replica to be added.
+	// The Region of the replica to be added.
 	//
 	// RegionName is a required field
 	RegionName *string `type:"string" required:"true"`
@@ -7435,11 +7417,11 @@ type CreateTableInput struct {
 	// Controls how you are charged for read and write throughput and how you manage
 	// capacity. This setting can be changed later.
 	//
-	//    * PROVISIONED - Sets the billing mode to PROVISIONED. We recommend using
-	//    PROVISIONED for predictable workloads.
+	//    * PROVISIONED - We recommend using PROVISIONED for predictable workloads.
+	//    PROVISIONED sets the billing mode to Provisioned Mode (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.ProvisionedThroughput.Manual).
 	//
-	//    * PAY_PER_REQUEST - Sets the billing mode to PAY_PER_REQUEST. We recommend
-	//    using PAY_PER_REQUEST for unpredictable workloads.
+	//    * PAY_PER_REQUEST - We recommend using PAY_PER_REQUEST for unpredictable
+	//    workloads. PAY_PER_REQUEST sets the billing mode to On-Demand Mode (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.OnDemand).
 	BillingMode *string `type:"string" enum:"BillingMode"`
 
 	// One or more global secondary indexes (the maximum is 20) to be created on
@@ -8243,7 +8225,7 @@ func (s *DeleteItemOutput) SetItemCollectionMetrics(v *ItemCollectionMetrics) *D
 type DeleteReplicaAction struct {
 	_ struct{} `type:"structure"`
 
-	// The region of the replica to be removed.
+	// The Region of the replica to be removed.
 	//
 	// RegionName is a required field
 	RegionName *string `type:"string" required:"true"`
@@ -8918,7 +8900,7 @@ func (s *Endpoint) SetCachePeriodInMinutes(v int64) *Endpoint {
 }
 
 // Represents a condition to be compared with an attribute value. This condition
-// can be used with DeleteItem, PutItem or UpdateItem operations; if the comparison
+// can be used with DeleteItem, PutItem, or UpdateItem operations; if the comparison
 // evaluates to true, the operation succeeds; if not, the operation fails. You
 // can use ExpectedAttributeValue in one of two different ways:
 //
@@ -9443,7 +9425,7 @@ type GlobalSecondaryIndex struct {
 	//    * RANGE - sort key
 	//
 	// The partition key of an item is also known as its hash attribute. The term
-	// "hash attribute" derives from DynamoDB' usage of an internal hash function
+	// "hash attribute" derives from DynamoDB's usage of an internal hash function
 	// to evenly distribute data items across partitions, based on their partition
 	// key values.
 	//
@@ -9560,6 +9542,11 @@ type GlobalSecondaryIndexDescription struct {
 	// DynamoDB will do so. After all items have been processed, the backfilling
 	// operation is complete and Backfilling is false.
 	//
+	// You can delete an index that is being created during the Backfilling phase
+	// when IndexStatus is set to CREATING and Backfilling is true. You can't delete
+	// the index that is being created when IndexStatus is set to CREATING and Backfilling
+	// is false.
+	//
 	// For indexes that were created during a CreateTable operation, the Backfilling
 	// attribute does not appear in the DescribeTable output.
 	Backfilling *bool `type:"boolean"`
@@ -9598,7 +9585,7 @@ type GlobalSecondaryIndexDescription struct {
 	//    * RANGE - sort key
 	//
 	// The partition key of an item is also known as its hash attribute. The term
-	// "hash attribute" derives from DynamoDB' usage of an internal hash function
+	// "hash attribute" derives from DynamoDB's usage of an internal hash function
 	// to evenly distribute data items across partitions, based on their partition
 	// key values.
 	//
@@ -9701,7 +9688,7 @@ type GlobalSecondaryIndexInfo struct {
 	//    * RANGE - sort key
 	//
 	// The partition key of an item is also known as its hash attribute. The term
-	// "hash attribute" derives from DynamoDB' usage of an internal hash function
+	// "hash attribute" derives from DynamoDB's usage of an internal hash function
 	// to evenly distribute data items across partitions, based on their partition
 	// key values.
 	//
@@ -9847,7 +9834,7 @@ type GlobalTable struct {
 	// The global table name.
 	GlobalTableName *string `min:"3" type:"string"`
 
-	// The regions where the global table has replicas.
+	// The Regions where the global table has replicas.
 	ReplicationGroup []*Replica `type:"list"`
 }
 
@@ -9897,7 +9884,7 @@ type GlobalTableDescription struct {
 	//    * ACTIVE - The global table is ready for use.
 	GlobalTableStatus *string `type:"string" enum:"GlobalTableStatus"`
 
-	// The regions where the global table has replicas.
+	// The Regions where the global table has replicas.
 	ReplicationGroup []*ReplicaDescription `type:"list"`
 }
 
@@ -9952,7 +9939,7 @@ type GlobalTableGlobalSecondaryIndexSettingsUpdate struct {
 	// IndexName is a required field
 	IndexName *string `min:"3" type:"string" required:"true"`
 
-	// AutoScaling settings for managing a global secondary index's write capacity
+	// Auto scaling settings for managing a global secondary index's write capacity
 	// units.
 	ProvisionedWriteCapacityAutoScalingSettingsUpdate *AutoScalingSettingsUpdate `type:"structure"`
 
@@ -10108,7 +10095,7 @@ type KeySchemaElement struct {
 	//    * RANGE - sort key
 	//
 	// The partition key of an item is also known as its hash attribute. The term
-	// "hash attribute" derives from DynamoDB' usage of an internal hash function
+	// "hash attribute" derives from DynamoDB's usage of an internal hash function
 	// to evenly distribute data items across partitions, based on their partition
 	// key values.
 	//
@@ -10725,7 +10712,7 @@ type LocalSecondaryIndex struct {
 	//    * RANGE - sort key
 	//
 	// The partition key of an item is also known as its hash attribute. The term
-	// "hash attribute" derives from DynamoDB' usage of an internal hash function
+	// "hash attribute" derives from DynamoDB's usage of an internal hash function
 	// to evenly distribute data items across partitions, based on their partition
 	// key values.
 	//
@@ -10839,7 +10826,7 @@ type LocalSecondaryIndexDescription struct {
 	//    * RANGE - sort key
 	//
 	// The partition key of an item is also known as its hash attribute. The term
-	// "hash attribute" derives from DynamoDB' usage of an internal hash function
+	// "hash attribute" derives from DynamoDB's usage of an internal hash function
 	// to evenly distribute data items across partitions, based on their partition
 	// key values.
 	//
@@ -10916,7 +10903,7 @@ type LocalSecondaryIndexInfo struct {
 	//    * RANGE - sort key
 	//
 	// The partition key of an item is also known as its hash attribute. The term
-	// "hash attribute" derives from DynamoDB' usage of an internal hash function
+	// "hash attribute" derives from DynamoDB's usage of an internal hash function
 	// to evenly distribute data items across partitions, based on their partition
 	// key values.
 	//
@@ -10963,8 +10950,8 @@ func (s *LocalSecondaryIndexInfo) SetProjection(v *Projection) *LocalSecondaryIn
 type PointInTimeRecoveryDescription struct {
 	_ struct{} `type:"structure"`
 
-	// Specifies the earliest point in time you can restore your table to. It You
-	// can restore your table to any point in time during the last 35 days.
+	// Specifies the earliest point in time you can restore your table to. You can
+	// restore your table to any point in time during the last 35 days.
 	EarliestRestorableDateTime *time.Time `type:"timestamp"`
 
 	// LatestRestorableDateTime is typically 5 minutes before the current time.
@@ -11067,7 +11054,7 @@ type Projection struct {
 	//    * KEYS_ONLY - Only the index and primary keys are projected into the index.
 	//
 	//    * INCLUDE - Only the specified table attributes are projected into the
-	//    index. The list of projected attributes are in NonKeyAttributes.
+	//    index. The list of projected attributes is in NonKeyAttributes.
 	//
 	//    * ALL - All of the table attributes are projected into the index.
 	ProjectionType *string `type:"string" enum:"ProjectionType"`
@@ -11662,7 +11649,7 @@ type PutRequest struct {
 	// A map of attribute name to attribute values, representing the primary key
 	// of an item to be processed by PutItem. All of the table's primary key attributes
 	// must be specified, and their data types must match those of the table's key
-	// schema. If any attributes are present in the item which are part of an index
+	// schema. If any attributes are present in the item that are part of an index
 	// key schema for the table, their types must match the index key schema.
 	//
 	// Item is a required field
@@ -12225,7 +12212,7 @@ func (s *QueryOutput) SetScannedCount(v int64) *QueryOutput {
 type Replica struct {
 	_ struct{} `type:"structure"`
 
-	// The region where the replica needs to be created.
+	// The Region where the replica needs to be created.
 	RegionName *string `type:"string"`
 }
 
@@ -12249,7 +12236,7 @@ func (s *Replica) SetRegionName(v string) *Replica {
 type ReplicaDescription struct {
 	_ struct{} `type:"structure"`
 
-	// The name of the region.
+	// The name of the Region.
 	RegionName *string `type:"string"`
 }
 
@@ -12290,7 +12277,7 @@ type ReplicaGlobalSecondaryIndexSettingsDescription struct {
 	//    * ACTIVE - The global secondary index is ready for use.
 	IndexStatus *string `type:"string" enum:"IndexStatus"`
 
-	// Autoscaling settings for a global secondary index replica's read capacity
+	// Auto scaling settings for a global secondary index replica's read capacity
 	// units.
 	ProvisionedReadCapacityAutoScalingSettings *AutoScalingSettingsDescription `type:"structure"`
 
@@ -12298,7 +12285,7 @@ type ReplicaGlobalSecondaryIndexSettingsDescription struct {
 	// DynamoDB returns a ThrottlingException.
 	ProvisionedReadCapacityUnits *int64 `min:"1" type:"long"`
 
-	// AutoScaling settings for a global secondary index replica's write capacity
+	// Auto scaling settings for a global secondary index replica's write capacity
 	// units.
 	ProvisionedWriteCapacityAutoScalingSettings *AutoScalingSettingsDescription `type:"structure"`
 
@@ -12364,7 +12351,7 @@ type ReplicaGlobalSecondaryIndexSettingsUpdate struct {
 	// IndexName is a required field
 	IndexName *string `min:"3" type:"string" required:"true"`
 
-	// Autoscaling settings for managing a global secondary index replica's read
+	// Auto scaling settings for managing a global secondary index replica's read
 	// capacity units.
 	ProvisionedReadCapacityAutoScalingSettingsUpdate *AutoScalingSettingsUpdate `type:"structure"`
 
@@ -12429,7 +12416,7 @@ func (s *ReplicaGlobalSecondaryIndexSettingsUpdate) SetProvisionedReadCapacityUn
 type ReplicaSettingsDescription struct {
 	_ struct{} `type:"structure"`
 
-	// The region name of the replica.
+	// The Region name of the replica.
 	//
 	// RegionName is a required field
 	RegionName *string `type:"string" required:"true"`
@@ -12440,7 +12427,7 @@ type ReplicaSettingsDescription struct {
 	// Replica global secondary index settings for the global table.
 	ReplicaGlobalSecondaryIndexSettings []*ReplicaGlobalSecondaryIndexSettingsDescription `type:"list"`
 
-	// Autoscaling settings for a global table replica's read capacity units.
+	// Auto scaling settings for a global table replica's read capacity units.
 	ReplicaProvisionedReadCapacityAutoScalingSettings *AutoScalingSettingsDescription `type:"structure"`
 
 	// The maximum number of strongly consistent reads consumed per second before
@@ -12449,7 +12436,7 @@ type ReplicaSettingsDescription struct {
 	// in the Amazon DynamoDB Developer Guide.
 	ReplicaProvisionedReadCapacityUnits *int64 `type:"long"`
 
-	// AutoScaling settings for a global table replica's write capacity units.
+	// Auto scaling settings for a global table replica's write capacity units.
 	ReplicaProvisionedWriteCapacityAutoScalingSettings *AutoScalingSettingsDescription `type:"structure"`
 
 	// The maximum number of writes consumed per second before DynamoDB returns
@@ -12458,15 +12445,15 @@ type ReplicaSettingsDescription struct {
 	// in the Amazon DynamoDB Developer Guide.
 	ReplicaProvisionedWriteCapacityUnits *int64 `type:"long"`
 
-	// The current state of the region:
+	// The current state of the Region:
 	//
-	//    * CREATING - The region is being created.
+	//    * CREATING - The Region is being created.
 	//
-	//    * UPDATING - The region is being updated.
+	//    * UPDATING - The Region is being updated.
 	//
-	//    * DELETING - The region is being deleted.
+	//    * DELETING - The Region is being deleted.
 	//
-	//    * ACTIVE - The region is ready for use.
+	//    * ACTIVE - The Region is ready for use.
 	ReplicaStatus *string `type:"string" enum:"ReplicaStatus"`
 }
 
@@ -12528,11 +12515,11 @@ func (s *ReplicaSettingsDescription) SetReplicaStatus(v string) *ReplicaSettings
 	return s
 }
 
-// Represents the settings for a global table in a region that will be modified.
+// Represents the settings for a global table in a Region that will be modified.
 type ReplicaSettingsUpdate struct {
 	_ struct{} `type:"structure"`
 
-	// The region of the replica to be added.
+	// The Region of the replica to be added.
 	//
 	// RegionName is a required field
 	RegionName *string `type:"string" required:"true"`
@@ -12541,7 +12528,7 @@ type ReplicaSettingsUpdate struct {
 	// will be modified.
 	ReplicaGlobalSecondaryIndexSettingsUpdate []*ReplicaGlobalSecondaryIndexSettingsUpdate `min:"1" type:"list"`
 
-	// Autoscaling settings for managing a global table replica's read capacity
+	// Auto scaling settings for managing a global table replica's read capacity
 	// units.
 	ReplicaProvisionedReadCapacityAutoScalingSettingsUpdate *AutoScalingSettingsUpdate `type:"structure"`
 
@@ -12693,10 +12680,10 @@ type RestoreSummary struct {
 	// RestoreInProgress is a required field
 	RestoreInProgress *bool `type:"boolean" required:"true"`
 
-	// ARN of the backup from which the table was restored.
+	// The Amazon Resource Name (ARN) of the backup from which the table was restored.
 	SourceBackupArn *string `min:"37" type:"string"`
 
-	// ARN of the source table of the backup that is being restored.
+	// The ARN of the source table of the backup that is being restored.
 	SourceTableArn *string `type:"string"`
 }
 
@@ -12742,6 +12729,22 @@ type RestoreTableFromBackupInput struct {
 	// BackupArn is a required field
 	BackupArn *string `min:"37" type:"string" required:"true"`
 
+	// The billing mode of the restored table.
+	BillingModeOverride *string `type:"string" enum:"BillingMode"`
+
+	// List of global secondary indexes for the restored table. The indexes provided
+	// should match existing secondary indexes. You can choose to exclude some or
+	// all of the indexes at the time of restore.
+	GlobalSecondaryIndexOverride []*GlobalSecondaryIndex `type:"list"`
+
+	// List of local secondary indexes for the restored table. The indexes provided
+	// should match existing secondary indexes. You can choose to exclude some or
+	// all of the indexes at the time of restore.
+	LocalSecondaryIndexOverride []*LocalSecondaryIndex `type:"list"`
+
+	// Provisioned throughput settings for the restored table.
+	ProvisionedThroughputOverride *ProvisionedThroughput `type:"structure"`
+
 	// The name of the new table to which the backup must be restored.
 	//
 	// TargetTableName is a required field
@@ -12773,6 +12776,31 @@ func (s *RestoreTableFromBackupInput) Validate() error {
 	if s.TargetTableName != nil && len(*s.TargetTableName) < 3 {
 		invalidParams.Add(request.NewErrParamMinLen("TargetTableName", 3))
 	}
+	if s.GlobalSecondaryIndexOverride != nil {
+		for i, v := range s.GlobalSecondaryIndexOverride {
+			if v == nil {
+				continue
+			}
+			if err := v.Validate(); err != nil {
+				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "GlobalSecondaryIndexOverride", i), err.(request.ErrInvalidParams))
+			}
+		}
+	}
+	if s.LocalSecondaryIndexOverride != nil {
+		for i, v := range s.LocalSecondaryIndexOverride {
+			if v == nil {
+				continue
+			}
+			if err := v.Validate(); err != nil {
+				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "LocalSecondaryIndexOverride", i), err.(request.ErrInvalidParams))
+			}
+		}
+	}
+	if s.ProvisionedThroughputOverride != nil {
+		if err := s.ProvisionedThroughputOverride.Validate(); err != nil {
+			invalidParams.AddNested("ProvisionedThroughputOverride", err.(request.ErrInvalidParams))
+		}
+	}
 
 	if invalidParams.Len() > 0 {
 		return invalidParams
@@ -12786,6 +12814,30 @@ func (s *RestoreTableFromBackupInput) SetBackupArn(v string) *RestoreTableFromBa
 	return s
 }
 
+// SetBillingModeOverride sets the BillingModeOverride field's value.
+func (s *RestoreTableFromBackupInput) SetBillingModeOverride(v string) *RestoreTableFromBackupInput {
+	s.BillingModeOverride = &v
+	return s
+}
+
+// SetGlobalSecondaryIndexOverride sets the GlobalSecondaryIndexOverride field's value.
+func (s *RestoreTableFromBackupInput) SetGlobalSecondaryIndexOverride(v []*GlobalSecondaryIndex) *RestoreTableFromBackupInput {
+	s.GlobalSecondaryIndexOverride = v
+	return s
+}
+
+// SetLocalSecondaryIndexOverride sets the LocalSecondaryIndexOverride field's value.
+func (s *RestoreTableFromBackupInput) SetLocalSecondaryIndexOverride(v []*LocalSecondaryIndex) *RestoreTableFromBackupInput {
+	s.LocalSecondaryIndexOverride = v
+	return s
+}
+
+// SetProvisionedThroughputOverride sets the ProvisionedThroughputOverride field's value.
+func (s *RestoreTableFromBackupInput) SetProvisionedThroughputOverride(v *ProvisionedThroughput) *RestoreTableFromBackupInput {
+	s.ProvisionedThroughputOverride = v
+	return s
+}
+
 // SetTargetTableName sets the TargetTableName field's value.
 func (s *RestoreTableFromBackupInput) SetTargetTableName(v string) *RestoreTableFromBackupInput {
 	s.TargetTableName = &v
@@ -12818,6 +12870,22 @@ func (s *RestoreTableFromBackupOutput) SetTableDescription(v *TableDescription)
 type RestoreTableToPointInTimeInput struct {
 	_ struct{} `type:"structure"`
 
+	// The billing mode of the restored table.
+	BillingModeOverride *string `type:"string" enum:"BillingMode"`
+
+	// List of global secondary indexes for the restored table. The indexes provided
+	// should match existing secondary indexes. You can choose to exclude some or
+	// all of the indexes at the time of restore.
+	GlobalSecondaryIndexOverride []*GlobalSecondaryIndex `type:"list"`
+
+	// List of local secondary indexes for the restored table. The indexes provided
+	// should match existing secondary indexes. You can choose to exclude some or
+	// all of the indexes at the time of restore.
+	LocalSecondaryIndexOverride []*LocalSecondaryIndex `type:"list"`
+
+	// Provisioned throughput settings for the restored table.
+	ProvisionedThroughputOverride *ProvisionedThroughput `type:"structure"`
+
 	// Time in the past to restore the table to.
 	RestoreDateTime *time.Time `type:"timestamp"`
 
@@ -12861,6 +12929,31 @@ func (s *RestoreTableToPointInTimeInput) Validate() error {
 	if s.TargetTableName != nil && len(*s.TargetTableName) < 3 {
 		invalidParams.Add(request.NewErrParamMinLen("TargetTableName", 3))
 	}
+	if s.GlobalSecondaryIndexOverride != nil {
+		for i, v := range s.GlobalSecondaryIndexOverride {
+			if v == nil {
+				continue
+			}
+			if err := v.Validate(); err != nil {
+				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "GlobalSecondaryIndexOverride", i), err.(request.ErrInvalidParams))
+			}
+		}
+	}
+	if s.LocalSecondaryIndexOverride != nil {
+		for i, v := range s.LocalSecondaryIndexOverride {
+			if v == nil {
+				continue
+			}
+			if err := v.Validate(); err != nil {
+				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "LocalSecondaryIndexOverride", i), err.(request.ErrInvalidParams))
+			}
+		}
+	}
+	if s.ProvisionedThroughputOverride != nil {
+		if err := s.ProvisionedThroughputOverride.Validate(); err != nil {
+			invalidParams.AddNested("ProvisionedThroughputOverride", err.(request.ErrInvalidParams))
+		}
+	}
 
 	if invalidParams.Len() > 0 {
 		return invalidParams
@@ -12868,6 +12961,30 @@ func (s *RestoreTableToPointInTimeInput) Validate() error {
 	return nil
 }
 
+// SetBillingModeOverride sets the BillingModeOverride field's value.
+func (s *RestoreTableToPointInTimeInput) SetBillingModeOverride(v string) *RestoreTableToPointInTimeInput {
+	s.BillingModeOverride = &v
+	return s
+}
+
+// SetGlobalSecondaryIndexOverride sets the GlobalSecondaryIndexOverride field's value.
+func (s *RestoreTableToPointInTimeInput) SetGlobalSecondaryIndexOverride(v []*GlobalSecondaryIndex) *RestoreTableToPointInTimeInput {
+	s.GlobalSecondaryIndexOverride = v
+	return s
+}
+
+// SetLocalSecondaryIndexOverride sets the LocalSecondaryIndexOverride field's value.
+func (s *RestoreTableToPointInTimeInput) SetLocalSecondaryIndexOverride(v []*LocalSecondaryIndex) *RestoreTableToPointInTimeInput {
+	s.LocalSecondaryIndexOverride = v
+	return s
+}
+
+// SetProvisionedThroughputOverride sets the ProvisionedThroughputOverride field's value.
+func (s *RestoreTableToPointInTimeInput) SetProvisionedThroughputOverride(v *ProvisionedThroughput) *RestoreTableToPointInTimeInput {
+	s.ProvisionedThroughputOverride = v
+	return s
+}
+
 // SetRestoreDateTime sets the RestoreDateTime field's value.
 func (s *RestoreTableToPointInTimeInput) SetRestoreDateTime(v time.Time) *RestoreTableToPointInTimeInput {
 	s.RestoreDateTime = &v
@@ -12919,13 +13036,14 @@ func (s *RestoreTableToPointInTimeOutput) SetTableDescription(v *TableDescriptio
 type SSEDescription struct {
 	_ struct{} `type:"structure"`
 
-	// The KMS customer master key (CMK) ARN used for the KMS encryption.
+	// The KMS customer master key (CMK) ARN used for the AWS KMS encryption.
 	KMSMasterKeyArn *string `type:"string"`
 
 	// Server-side encryption type. The only supported value is:
 	//
-	//    * KMS - Server-side encryption which uses AWS Key Management Service.
-	//    Key is stored in your account and is managed by AWS KMS (KMS charges apply).
+	//    * KMS - Server-side encryption that uses AWS Key Management Service. The
+	//    key is stored in your account and is managed by AWS KMS (AWS KMS charges
+	//    apply).
 	SSEType *string `type:"string" enum:"SSEType"`
 
 	// Represents the current state of server-side encryption. The only supported
@@ -12975,16 +13093,17 @@ type SSESpecification struct {
 	// (false) or not specified, server-side encryption is set to AWS owned CMK.
 	Enabled *bool `type:"boolean"`
 
-	// The KMS Customer Master Key (CMK) which should be used for the KMS encryption.
+	// The KMS customer master key (CMK) that should be used for the AWS KMS encryption.
 	// To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name,
 	// or alias ARN. Note that you should only provide this parameter if the key
-	// is different from the default DynamoDB Customer Master Key alias/aws/dynamodb.
+	// is different from the default DynamoDB customer master key alias/aws/dynamodb.
 	KMSMasterKeyId *string `type:"string"`
 
 	// Server-side encryption type. The only supported value is:
 	//
-	//    * KMS - Server-side encryption which uses AWS Key Management Service.
-	//    Key is stored in your account and is managed by AWS KMS (KMS charges apply).
+	//    * KMS - Server-side encryption that uses AWS Key Management Service. The
+	//    key is stored in your account and is managed by AWS KMS (AWS KMS charges
+	//    apply).
 	SSEType *string `type:"string" enum:"SSEType"`
 }
 
@@ -13502,7 +13621,7 @@ type SourceTableDetails struct {
 	//    We recommend using PAY_PER_REQUEST for unpredictable workloads.
 	BillingMode *string `type:"string" enum:"BillingMode"`
 
-	// Number of items in the table. Please note this is an approximate value.
+	// Number of items in the table. Note that this is an approximate value.
 	ItemCount *int64 `type:"long"`
 
 	// Schema of the table.
@@ -13533,7 +13652,7 @@ type SourceTableDetails struct {
 	// TableName is a required field
 	TableName *string `min:"3" type:"string" required:"true"`
 
-	// Size of the table in bytes. Please note this is an approximate value.
+	// Size of the table in bytes. Note that this is an approximate value.
 	TableSizeBytes *int64 `type:"long"`
 }
 
@@ -13607,7 +13726,7 @@ type SourceTableFeatureDetails struct {
 	_ struct{} `type:"structure"`
 
 	// Represents the GSI properties for the table when the backup was created.
-	// It includes the IndexName, KeySchema, Projection and ProvisionedThroughput
+	// It includes the IndexName, KeySchema, Projection, and ProvisionedThroughput
 	// for the GSIs on the table at the time of backup.
 	GlobalSecondaryIndexes []*GlobalSecondaryIndexInfo `type:"list"`
 
@@ -13741,9 +13860,14 @@ type TableDescription struct {
 	//
 	//    * Backfilling - If true, then the index is currently in the backfilling
 	//    phase. Backfilling occurs only when a new global secondary index is added
-	//    to the table; it is the process by which DynamoDB populates the new index
+	//    to the table. It is the process by which DynamoDB populates the new index
 	//    with data from the table. (This attribute does not appear for indexes
-	//    that were created during a CreateTable operation.)
+	//    that were created during a CreateTable operation.) You can delete an index
+	//    that is being created during the Backfilling phase when IndexStatus is
+	//    set to CREATING and Backfilling is true. You can't delete the index that
+	//    is being created when IndexStatus is set to CREATING and Backfilling is
+	//    false. (This attribute does not appear for indexes that were created during
+	//    a CreateTable operation.)
 	//
 	//    * IndexName - The name of the global secondary index.
 	//
@@ -13769,7 +13893,7 @@ type TableDescription struct {
 	//    specification is composed of: ProjectionType - One of the following: KEYS_ONLY
 	//    - Only the index and primary keys are projected into the index. INCLUDE
 	//    - Only the specified table attributes are projected into the index. The
-	//    list of projected attributes are in NonKeyAttributes. ALL - All of the
+	//    list of projected attributes is in NonKeyAttributes. ALL - All of the
 	//    table attributes are projected into the index. NonKeyAttributes - A list
 	//    of one or more non-key attribute names that are projected into the secondary
 	//    index. The total count of attributes provided in NonKeyAttributes, summed
@@ -13817,11 +13941,11 @@ type TableDescription struct {
 	// However, the combination of the following three elements is guaranteed to
 	// be unique:
 	//
-	//    * the AWS customer ID.
+	//    * AWS customer ID
 	//
-	//    * the table name.
+	//    * Table name
 	//
-	//    * the StreamLabel.
+	//    * StreamLabel
 	LatestStreamLabel *string `type:"string"`
 
 	// Represents one or more local secondary indexes on the table. Each index is
@@ -13842,7 +13966,7 @@ type TableDescription struct {
 	//    specification is composed of: ProjectionType - One of the following: KEYS_ONLY
 	//    - Only the index and primary keys are projected into the index. INCLUDE
 	//    - Only the specified table attributes are projected into the index. The
-	//    list of projected attributes are in NonKeyAttributes. ALL - All of the
+	//    list of projected attributes is in NonKeyAttributes. ALL - All of the
 	//    table attributes are projected into the index. NonKeyAttributes - A list
 	//    of one or more non-key attribute names that are projected into the secondary
 	//    index. The total count of attributes provided in NonKeyAttributes, summed
@@ -15071,6 +15195,12 @@ type UpdateGlobalTableSettingsInput struct {
 
 	// The billing mode of the global table. If GlobalTableBillingMode is not specified,
 	// the global table defaults to PROVISIONED capacity billing mode.
+	//
+	//    * PROVISIONED - We recommend using PROVISIONED for predictable workloads.
+	//    PROVISIONED sets the billing mode to Provisioned Mode (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.ProvisionedThroughput.Manual).
+	//
+	//    * PAY_PER_REQUEST - We recommend using PAY_PER_REQUEST for unpredictable
+	//    workloads. PAY_PER_REQUEST sets the billing mode to On-Demand Mode (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.OnDemand).
 	GlobalTableBillingMode *string `type:"string" enum:"BillingMode"`
 
 	// Represents the settings of a global secondary index for a global table that
@@ -15622,11 +15752,11 @@ type UpdateTableInput struct {
 	// values are estimated based on the consumed read and write capacity of your
 	// table and global secondary indexes over the past 30 minutes.
 	//
-	//    * PROVISIONED - Sets the billing mode to PROVISIONED. We recommend using
-	//    PROVISIONED for predictable workloads.
+	//    * PROVISIONED - We recommend using PROVISIONED for predictable workloads.
+	//    PROVISIONED sets the billing mode to Provisioned Mode (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.ProvisionedThroughput.Manual).
 	//
-	//    * PAY_PER_REQUEST - Sets the billing mode to PAY_PER_REQUEST. We recommend
-	//    using PAY_PER_REQUEST for unpredictable workloads.
+	//    * PAY_PER_REQUEST - We recommend using PAY_PER_REQUEST for unpredictable
+	//    workloads. PAY_PER_REQUEST sets the billing mode to On-Demand Mode (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.OnDemand).
 	BillingMode *string `type:"string" enum:"BillingMode"`
 
 	// An array of one or more global secondary indexes for the table. For each
@@ -15639,6 +15769,9 @@ type UpdateTableInput struct {
 	//
 	//    * Delete - remove a global secondary index from the table.
 	//
+	// You can create or delete only one global secondary index per UpdateTable
+	// operation.
+	//
 	// For more information, see Managing Global Secondary Indexes (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GSI.OnlineOps.html)
 	// in the Amazon DynamoDB Developer Guide.
 	GlobalSecondaryIndexUpdates []*GlobalSecondaryIndexUpdate `type:"list"`
@@ -15866,8 +15999,8 @@ func (s *UpdateTimeToLiveOutput) SetTimeToLiveSpecification(v *TimeToLiveSpecifi
 
 // Represents an operation to perform - either DeleteItem or PutItem. You can
 // only request one of these operations, not both, in a single WriteRequest.
-// If you do need to perform both of these operations, you will need to provide
-// two separate WriteRequest objects.
+// If you do need to perform both of these operations, you need to provide two
+// separate WriteRequest objects.
 type WriteRequest struct {
 	_ struct{} `type:"structure"`
 
diff --git a/vendor/github.com/aws/aws-sdk-go/service/dynamodb/errors.go b/vendor/github.com/aws/aws-sdk-go/service/dynamodb/errors.go
index 71f3e7d3d532..e1b7931960d7 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/dynamodb/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/dynamodb/errors.go
@@ -184,8 +184,6 @@ const (
 	//    index (LSI) becomes too large, or a similar validation error occurs because
 	//    of changes made by the transaction.
 	//
-	//    * The aggregate size of the items in the transaction exceeds 4 MBs.
-	//
 	//    * There is a user error, such as an invalid data format.
 	//
 	// DynamoDB cancels a TransactGetItems request under the following circumstances:
@@ -200,8 +198,6 @@ const (
 	//    * There is insufficient provisioned capacity for the transaction to be
 	//    completed.
 	//
-	//    * The aggregate size of the items in the transaction exceeds 4 MBs.
-	//
 	//    * There is a user error, such as an invalid data format.
 	//
 	// If using Java, DynamoDB lists the cancellation reasons on the CancellationReasons
diff --git a/vendor/github.com/aws/aws-sdk-go/service/elbv2/api.go b/vendor/github.com/aws/aws-sdk-go/service/elbv2/api.go
index 7dfb07d51f28..5da1567a3f20 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/elbv2/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/elbv2/api.go
@@ -3409,7 +3409,8 @@ type Action struct {
 
 	// The order for the action. This value is required for rules with multiple
 	// actions. The action with the lowest value for order is performed first. The
-	// final action to be performed must be a forward or a fixed-response action.
+	// last action to be performed must be one of the following types of actions:
+	// a forward, fixed-response, or redirect.
 	Order *int64 `min:"1" type:"integer"`
 
 	// [Application Load Balancer] Information for creating a redirect action. Specify
@@ -3420,8 +3421,7 @@ type Action struct {
 	// is forward.
 	TargetGroupArn *string `type:"string"`
 
-	// The type of action. Each rule must include exactly one of the following types
-	// of actions: forward, fixed-response, or redirect.
+	// The type of action.
 	//
 	// Type is a required field
 	Type *string `type:"string" required:"true" enum:"ActionTypeEnum"`
@@ -4276,8 +4276,8 @@ type CreateLoadBalancerInput struct {
 	//
 	// The nodes of an internal load balancer have only private IP addresses. The
 	// DNS name of an internal load balancer is publicly resolvable to the private
-	// IP addresses of the nodes. Therefore, internal load balancers can only route
-	// requests from clients with access to the VPC for the load balancer.
+	// IP addresses of the nodes. Therefore, internal load balancers can route requests
+	// only from clients with access to the VPC for the load balancer.
 	//
 	// The default is an Internet-facing load balancer.
 	Scheme *string `type:"string" enum:"LoadBalancerSchemeEnum"`
@@ -4425,7 +4425,8 @@ type CreateRuleInput struct {
 	_ struct{} `type:"structure"`
 
 	// The actions. Each rule must include exactly one of the following types of
-	// actions: forward, fixed-response, or redirect.
+	// actions: forward, fixed-response, or redirect, and it must be the last action
+	// to be performed.
 	//
 	// If the action type is forward, you specify a target group. The protocol of
 	// the target group must be HTTP or HTTPS for an Application Load Balancer.
@@ -6355,8 +6356,8 @@ type LoadBalancer struct {
 	//
 	// The nodes of an internal load balancer have only private IP addresses. The
 	// DNS name of an internal load balancer is publicly resolvable to the private
-	// IP addresses of the nodes. Therefore, internal load balancers can only route
-	// requests from clients with access to the VPC for the load balancer.
+	// IP addresses of the nodes. Therefore, internal load balancers can route requests
+	// only from clients with access to the VPC for the load balancer.
 	Scheme *string `type:"string" enum:"LoadBalancerSchemeEnum"`
 
 	// The IDs of the security groups for the load balancer.
@@ -6515,6 +6516,10 @@ type LoadBalancerAttribute struct {
 	//    * idle_timeout.timeout_seconds - The idle timeout value, in seconds. The
 	//    valid range is 1-4000 seconds. The default is 60 seconds.
 	//
+	//    * routing.http.drop_invalid_header_fields.enabled - Indicates whether
+	//    HTTP headers with invalid header fields are removed by the load balancer
+	//    (true) or routed to targets (false). The default is true.
+	//
 	//    * routing.http2.enabled - Indicates whether HTTP/2 is enabled. The value
 	//    is true or false. The default is true.
 	//
@@ -6854,7 +6859,8 @@ type ModifyRuleInput struct {
 	_ struct{} `type:"structure"`
 
 	// The actions. Each rule must include exactly one of the following types of
-	// actions: forward, fixed-response, or redirect.
+	// actions: forward, fixed-response, or redirect, and it must be the last action
+	// to be performed.
 	//
 	// If the action type is forward, you specify a target group. The protocol of
 	// the target group must be HTTP or HTTPS for an Application Load Balancer.
@@ -7044,7 +7050,7 @@ type ModifyTargetGroupInput struct {
 	// target. For Application Load Balancers, the range is 5 to 300 seconds. For
 	// Network Load Balancers, the supported values are 10 or 30 seconds.
 	//
-	// If the protocol of the target group is TCP, you can't modify this setting.
+	// With Network Load Balancers, you can't modify this setting.
 	HealthCheckIntervalSeconds *int64 `min:"5" type:"integer"`
 
 	// [HTTP/HTTPS health checks] The ping path that is the destination for the
@@ -7059,13 +7065,13 @@ type ModifyTargetGroupInput struct {
 	// target group is TCP, TLS, UDP, or TCP_UDP. The TLS, UDP, and TCP_UDP protocols
 	// are not supported for health checks.
 	//
-	// If the protocol of the target group is TCP, you can't modify this setting.
+	// With Network Load Balancers, you can't modify this setting.
 	HealthCheckProtocol *string `type:"string" enum:"ProtocolEnum"`
 
 	// [HTTP/HTTPS health checks] The amount of time, in seconds, during which no
 	// response means a failed health check.
 	//
-	// If the protocol of the target group is TCP, you can't modify this setting.
+	// With Network Load Balancers, you can't modify this setting.
 	HealthCheckTimeoutSeconds *int64 `min:"2" type:"integer"`
 
 	// The number of consecutive health checks successes required before considering
@@ -7075,7 +7081,7 @@ type ModifyTargetGroupInput struct {
 	// [HTTP/HTTPS health checks] The HTTP codes to use when checking for a successful
 	// response from a target.
 	//
-	// If the protocol of the target group is TCP, you can't modify this setting.
+	// With Network Load Balancers, you can't modify this setting.
 	Matcher *Matcher `type:"structure"`
 
 	// The Amazon Resource Name (ARN) of the target group.
@@ -8415,7 +8421,8 @@ type TargetDescription struct {
 	// Id is a required field
 	Id *string `type:"string" required:"true"`
 
-	// The port on which the target is listening.
+	// The port on which the target is listening. Not used if the target is a Lambda
+	// function.
 	Port *int64 `min:"1" type:"integer"`
 }
 
@@ -8498,7 +8505,8 @@ type TargetGroup struct {
 	// The HTTP codes to use when checking for a successful response from a target.
 	Matcher *Matcher `type:"structure"`
 
-	// The port on which the targets are listening.
+	// The port on which the targets are listening. Not used if the target is a
+	// Lambda function.
 	Port *int64 `min:"1" type:"integer"`
 
 	// The protocol to use for routing traffic to the targets.
@@ -8731,14 +8739,16 @@ type TargetHealth struct {
 	// values:
 	//
 	//    * Target.ResponseCodeMismatch - The health checks did not return an expected
-	//    HTTP code.
+	//    HTTP code. Applies only to Application Load Balancers.
 	//
-	//    * Target.Timeout - The health check requests timed out.
+	//    * Target.Timeout - The health check requests timed out. Applies only to
+	//    Application Load Balancers.
 	//
 	//    * Target.FailedHealthChecks - The load balancer received an error while
 	//    establishing a connection to the target or the target response was malformed.
 	//
 	//    * Elb.InternalError - The health checks failed due to an internal error.
+	//    Applies only to Application Load Balancers.
 	//
 	// If the target state is unused, the reason code can be one of the following
 	// values:
@@ -8750,11 +8760,11 @@ type TargetHealth struct {
 	//    or the target is in an Availability Zone that is not enabled for its load
 	//    balancer.
 	//
+	//    * Target.InvalidState - The target is in the stopped or terminated state.
+	//
 	//    * Target.IpUnusable - The target IP address is reserved for use by a load
 	//    balancer.
 	//
-	//    * Target.InvalidState - The target is in the stopped or terminated state.
-	//
 	// If the target state is draining, the reason code can be the following value:
 	//
 	//    * Target.DeregistrationInProgress - The target is in the process of being
@@ -8764,7 +8774,10 @@ type TargetHealth struct {
 	// value:
 	//
 	//    * Target.HealthCheckDisabled - Health checks are disabled for the target
-	//    group.
+	//    group. Applies only to Application Load Balancers.
+	//
+	//    * Elb.InternalError - Target health is unavailable due to an internal
+	//    error. Applies only to Network Load Balancers.
 	Reason *string `type:"string" enum:"TargetHealthReasonEnum"`
 
 	// The state of the target.
diff --git a/vendor/github.com/aws/aws-sdk-go/service/iot/api.go b/vendor/github.com/aws/aws-sdk-go/service/iot/api.go
index 3e371ea98204..1632b7b9cc8d 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/iot/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/iot/api.go
@@ -2609,10 +2609,6 @@ func (c *IoT) CreateStreamRequest(input *CreateStreamInput) (req *request.Reques
 // Creates a stream for delivering one or more large files in chunks over MQTT.
 // A stream transports data bytes in chunks or blocks packaged as MQTT messages
 // from a source like S3. You can have one or more files associated with a stream.
-// The total size of a file associated with the stream cannot exceed more than
-// 2 MB. The stream will be created with version 0. If a stream is created with
-// the same streamID as a stream that existed and was deleted within last 90
-// days, we will resurrect that old stream by incrementing the version by 1.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -7736,6 +7732,106 @@ func (c *IoT) EnableTopicRuleWithContext(ctx aws.Context, input *EnableTopicRule
 	return out, req.Send()
 }
 
+const opGetCardinality = "GetCardinality"
+
+// GetCardinalityRequest generates a "aws/request.Request" representing the
+// client's request for the GetCardinality operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See GetCardinality for more information on using the GetCardinality
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the GetCardinalityRequest method.
+//    req, resp := client.GetCardinalityRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+func (c *IoT) GetCardinalityRequest(input *GetCardinalityInput) (req *request.Request, output *GetCardinalityOutput) {
+	op := &request.Operation{
+		Name:       opGetCardinality,
+		HTTPMethod: "POST",
+		HTTPPath:   "/indices/cardinality",
+	}
+
+	if input == nil {
+		input = &GetCardinalityInput{}
+	}
+
+	output = &GetCardinalityOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// GetCardinality API operation for AWS IoT.
+//
+// Returns the number of things with distinct values for the aggregation field.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS IoT's
+// API operation GetCardinality for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeInvalidRequestException "InvalidRequestException"
+//   The request is not valid.
+//
+//   * ErrCodeThrottlingException "ThrottlingException"
+//   The rate exceeds the limit.
+//
+//   * ErrCodeUnauthorizedException "UnauthorizedException"
+//   You are not authorized to perform this operation.
+//
+//   * ErrCodeServiceUnavailableException "ServiceUnavailableException"
+//   The service is temporarily unavailable.
+//
+//   * ErrCodeInternalFailureException "InternalFailureException"
+//   An unexpected error has occurred.
+//
+//   * ErrCodeResourceNotFoundException "ResourceNotFoundException"
+//   The specified resource does not exist.
+//
+//   * ErrCodeInvalidQueryException "InvalidQueryException"
+//   The query is invalid.
+//
+//   * ErrCodeInvalidAggregationException "InvalidAggregationException"
+//   The aggregation is invalid.
+//
+//   * ErrCodeIndexNotReadyException "IndexNotReadyException"
+//   The index is not ready.
+//
+func (c *IoT) GetCardinality(input *GetCardinalityInput) (*GetCardinalityOutput, error) {
+	req, out := c.GetCardinalityRequest(input)
+	return out, req.Send()
+}
+
+// GetCardinalityWithContext is the same as GetCardinality with the addition of
+// the ability to pass a context and additional request options.
+//
+// See GetCardinality for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *IoT) GetCardinalityWithContext(ctx aws.Context, input *GetCardinalityInput, opts ...request.Option) (*GetCardinalityOutput, error) {
+	req, out := c.GetCardinalityRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opGetEffectivePolicies = "GetEffectivePolicies"
 
 // GetEffectivePoliciesRequest generates a "aws/request.Request" representing the
@@ -8179,6 +8275,109 @@ func (c *IoT) GetOTAUpdateWithContext(ctx aws.Context, input *GetOTAUpdateInput,
 	return out, req.Send()
 }
 
+const opGetPercentiles = "GetPercentiles"
+
+// GetPercentilesRequest generates a "aws/request.Request" representing the
+// client's request for the GetPercentiles operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See GetPercentiles for more information on using the GetPercentiles
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the GetPercentilesRequest method.
+//    req, resp := client.GetPercentilesRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+func (c *IoT) GetPercentilesRequest(input *GetPercentilesInput) (req *request.Request, output *GetPercentilesOutput) {
+	op := &request.Operation{
+		Name:       opGetPercentiles,
+		HTTPMethod: "POST",
+		HTTPPath:   "/indices/percentiles",
+	}
+
+	if input == nil {
+		input = &GetPercentilesInput{}
+	}
+
+	output = &GetPercentilesOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// GetPercentiles API operation for AWS IoT.
+//
+// Returns the percentile values for the aggregation field. The results from
+// GetPercentiles is an approximation. The default percentile groupings are:
+// 1,5,25,50,75,95,99. You can specify custom percentile grouping using the
+// percents argument to the GetPercentiles API.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS IoT's
+// API operation GetPercentiles for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeInvalidRequestException "InvalidRequestException"
+//   The request is not valid.
+//
+//   * ErrCodeThrottlingException "ThrottlingException"
+//   The rate exceeds the limit.
+//
+//   * ErrCodeUnauthorizedException "UnauthorizedException"
+//   You are not authorized to perform this operation.
+//
+//   * ErrCodeServiceUnavailableException "ServiceUnavailableException"
+//   The service is temporarily unavailable.
+//
+//   * ErrCodeInternalFailureException "InternalFailureException"
+//   An unexpected error has occurred.
+//
+//   * ErrCodeResourceNotFoundException "ResourceNotFoundException"
+//   The specified resource does not exist.
+//
+//   * ErrCodeInvalidQueryException "InvalidQueryException"
+//   The query is invalid.
+//
+//   * ErrCodeInvalidAggregationException "InvalidAggregationException"
+//   The aggregation is invalid.
+//
+//   * ErrCodeIndexNotReadyException "IndexNotReadyException"
+//   The index is not ready.
+//
+func (c *IoT) GetPercentiles(input *GetPercentilesInput) (*GetPercentilesOutput, error) {
+	req, out := c.GetPercentilesRequest(input)
+	return out, req.Send()
+}
+
+// GetPercentilesWithContext is the same as GetPercentiles with the addition of
+// the ability to pass a context and additional request options.
+//
+// See GetPercentiles for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *IoT) GetPercentilesWithContext(ctx aws.Context, input *GetPercentilesInput, opts ...request.Option) (*GetPercentilesOutput, error) {
+	req, out := c.GetPercentilesRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opGetPolicy = "GetPolicy"
 
 // GetPolicyRequest generates a "aws/request.Request" representing the
@@ -8492,7 +8691,9 @@ func (c *IoT) GetStatisticsRequest(input *GetStatisticsInput) (req *request.Requ
 
 // GetStatistics API operation for AWS IoT.
 //
-// Gets statistics about things that match the specified query.
+// Gets statistics returns the count, average, sum, minimum, maximum, sumOfSquares,
+// variance, and standard deviation for the specified aggregated field. If the
+// aggregation field is of type String, only the count statistic is returned.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -12716,7 +12917,11 @@ func (c *IoT) RegisterThingRequest(input *RegisterThingInput) (req *request.Requ
 
 // RegisterThing API operation for AWS IoT.
 //
-// Provisions a thing.
+// Provisions a thing in the device registry. RegisterThing calls other AWS
+// IoT control plane APIs. These calls might exceed your account level AWS IoT
+// Throttling Limits (https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#limits_iot)
+// and cause throttle errors. Please contact AWS Customer Support (https://console.aws.amazon.com/support/home)
+// to raise your throttling limits if necessary.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -17273,7 +17478,8 @@ func (s AttachSecurityProfileOutput) GoString() string {
 type AttachThingPrincipalInput struct {
 	_ struct{} `type:"structure"`
 
-	// The principal, such as a certificate or other credential.
+	// The principal, which can be a certificate ARN (as returned from the CreateCertificate
+	// operation) or an Amazon Cognito ID.
 	//
 	// Principal is a required field
 	Principal *string `location:"header" locationName:"x-amzn-principal" type:"string" required:"true"`
@@ -26432,6 +26638,39 @@ func (s *ExponentialRolloutRate) SetRateIncreaseCriteria(v *RateIncreaseCriteria
 	return s
 }
 
+// Describes the name and data type at a field.
+type Field struct {
+	_ struct{} `type:"structure"`
+
+	// The name of the field.
+	Name *string `locationName:"name" type:"string"`
+
+	// The datatype of the field.
+	Type *string `locationName:"type" type:"string" enum:"FieldType"`
+}
+
+// String returns the string representation
+func (s Field) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s Field) GoString() string {
+	return s.String()
+}
+
+// SetName sets the Name field's value.
+func (s *Field) SetName(v string) *Field {
+	s.Name = &v
+	return s
+}
+
+// SetType sets the Type field's value.
+func (s *Field) SetType(v string) *Field {
+	s.Type = &v
+	return s
+}
+
 // The location of the OTA update.
 type FileLocation struct {
 	_ struct{} `type:"structure"`
@@ -26549,6 +26788,103 @@ func (s *FirehoseAction) SetSeparator(v string) *FirehoseAction {
 	return s
 }
 
+type GetCardinalityInput struct {
+	_ struct{} `type:"structure"`
+
+	// The field to aggregate.
+	AggregationField *string `locationName:"aggregationField" min:"1" type:"string"`
+
+	// The name of the index to search.
+	IndexName *string `locationName:"indexName" min:"1" type:"string"`
+
+	// The search query.
+	//
+	// QueryString is a required field
+	QueryString *string `locationName:"queryString" min:"1" type:"string" required:"true"`
+
+	// The query version.
+	QueryVersion *string `locationName:"queryVersion" type:"string"`
+}
+
+// String returns the string representation
+func (s GetCardinalityInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetCardinalityInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *GetCardinalityInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "GetCardinalityInput"}
+	if s.AggregationField != nil && len(*s.AggregationField) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("AggregationField", 1))
+	}
+	if s.IndexName != nil && len(*s.IndexName) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("IndexName", 1))
+	}
+	if s.QueryString == nil {
+		invalidParams.Add(request.NewErrParamRequired("QueryString"))
+	}
+	if s.QueryString != nil && len(*s.QueryString) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("QueryString", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetAggregationField sets the AggregationField field's value.
+func (s *GetCardinalityInput) SetAggregationField(v string) *GetCardinalityInput {
+	s.AggregationField = &v
+	return s
+}
+
+// SetIndexName sets the IndexName field's value.
+func (s *GetCardinalityInput) SetIndexName(v string) *GetCardinalityInput {
+	s.IndexName = &v
+	return s
+}
+
+// SetQueryString sets the QueryString field's value.
+func (s *GetCardinalityInput) SetQueryString(v string) *GetCardinalityInput {
+	s.QueryString = &v
+	return s
+}
+
+// SetQueryVersion sets the QueryVersion field's value.
+func (s *GetCardinalityInput) SetQueryVersion(v string) *GetCardinalityInput {
+	s.QueryVersion = &v
+	return s
+}
+
+type GetCardinalityOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The number of things that match the query.
+	Cardinality *int64 `locationName:"cardinality" type:"integer"`
+}
+
+// String returns the string representation
+func (s GetCardinalityOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetCardinalityOutput) GoString() string {
+	return s.String()
+}
+
+// SetCardinality sets the Cardinality field's value.
+func (s *GetCardinalityOutput) SetCardinality(v int64) *GetCardinalityOutput {
+	s.Cardinality = &v
+	return s
+}
+
 type GetEffectivePoliciesInput struct {
 	_ struct{} `type:"structure"`
 
@@ -26848,6 +27184,112 @@ func (s *GetOTAUpdateOutput) SetOtaUpdateInfo(v *OTAUpdateInfo) *GetOTAUpdateOut
 	return s
 }
 
+type GetPercentilesInput struct {
+	_ struct{} `type:"structure"`
+
+	// The field to aggregate.
+	AggregationField *string `locationName:"aggregationField" min:"1" type:"string"`
+
+	// The name of the index to search.
+	IndexName *string `locationName:"indexName" min:"1" type:"string"`
+
+	// The percentile groups returned.
+	Percents []*float64 `locationName:"percents" type:"list"`
+
+	// The query string.
+	//
+	// QueryString is a required field
+	QueryString *string `locationName:"queryString" min:"1" type:"string" required:"true"`
+
+	// The query version.
+	QueryVersion *string `locationName:"queryVersion" type:"string"`
+}
+
+// String returns the string representation
+func (s GetPercentilesInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetPercentilesInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *GetPercentilesInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "GetPercentilesInput"}
+	if s.AggregationField != nil && len(*s.AggregationField) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("AggregationField", 1))
+	}
+	if s.IndexName != nil && len(*s.IndexName) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("IndexName", 1))
+	}
+	if s.QueryString == nil {
+		invalidParams.Add(request.NewErrParamRequired("QueryString"))
+	}
+	if s.QueryString != nil && len(*s.QueryString) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("QueryString", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetAggregationField sets the AggregationField field's value.
+func (s *GetPercentilesInput) SetAggregationField(v string) *GetPercentilesInput {
+	s.AggregationField = &v
+	return s
+}
+
+// SetIndexName sets the IndexName field's value.
+func (s *GetPercentilesInput) SetIndexName(v string) *GetPercentilesInput {
+	s.IndexName = &v
+	return s
+}
+
+// SetPercents sets the Percents field's value.
+func (s *GetPercentilesInput) SetPercents(v []*float64) *GetPercentilesInput {
+	s.Percents = v
+	return s
+}
+
+// SetQueryString sets the QueryString field's value.
+func (s *GetPercentilesInput) SetQueryString(v string) *GetPercentilesInput {
+	s.QueryString = &v
+	return s
+}
+
+// SetQueryVersion sets the QueryVersion field's value.
+func (s *GetPercentilesInput) SetQueryVersion(v string) *GetPercentilesInput {
+	s.QueryVersion = &v
+	return s
+}
+
+type GetPercentilesOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The percentile values of the aggregated fields.
+	Percentiles []*PercentPair `locationName:"percentiles" type:"list"`
+}
+
+// String returns the string representation
+func (s GetPercentilesOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetPercentilesOutput) GoString() string {
+	return s.String()
+}
+
+// SetPercentiles sets the Percentiles field's value.
+func (s *GetPercentilesOutput) SetPercentiles(v []*PercentPair) *GetPercentilesOutput {
+	s.Percentiles = v
+	return s
+}
+
 // The input for the GetPolicy operation.
 type GetPolicyInput struct {
 	_ struct{} `type:"structure"`
@@ -27031,7 +27473,7 @@ func (s *GetPolicyVersionInput) SetPolicyVersionId(v string) *GetPolicyVersionIn
 type GetPolicyVersionOutput struct {
 	_ struct{} `type:"structure"`
 
-	// The date the policy version was created.
+	// The date the policy was created.
 	CreationDate *time.Time `locationName:"creationDate" type:"timestamp"`
 
 	// The generation ID of the policy version.
@@ -27040,7 +27482,7 @@ type GetPolicyVersionOutput struct {
 	// Specifies whether the policy version is the default.
 	IsDefaultVersion *bool `locationName:"isDefaultVersion" type:"boolean"`
 
-	// The date the policy version was last modified.
+	// The date the policy was last modified.
 	LastModifiedDate *time.Time `locationName:"lastModifiedDate" type:"timestamp"`
 
 	// The policy ARN.
@@ -27156,7 +27598,7 @@ func (s *GetRegistrationCodeOutput) SetRegistrationCode(v string) *GetRegistrati
 type GetStatisticsInput struct {
 	_ struct{} `type:"structure"`
 
-	// The aggregation field name. Currently not supported.
+	// The aggregation field name.
 	AggregationField *string `locationName:"aggregationField" min:"1" type:"string"`
 
 	// The name of the index to search. The default value is AWS_Things.
@@ -33388,6 +33830,39 @@ func (s *OutgoingCertificate) SetTransferredTo(v string) *OutgoingCertificate {
 	return s
 }
 
+// Describes the percentile and percentile value.
+type PercentPair struct {
+	_ struct{} `type:"structure"`
+
+	// The percentile.
+	Percent *float64 `locationName:"percent" type:"double"`
+
+	// The value.
+	Value *float64 `locationName:"value" type:"double"`
+}
+
+// String returns the string representation
+func (s PercentPair) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s PercentPair) GoString() string {
+	return s.String()
+}
+
+// SetPercent sets the Percent field's value.
+func (s *PercentPair) SetPercent(v float64) *PercentPair {
+	s.Percent = &v
+	return s
+}
+
+// SetValue sets the Value field's value.
+func (s *PercentPair) SetValue(v float64) *PercentPair {
+	s.Value = &v
+	return s
+}
+
 // Describes an AWS IoT policy.
 type Policy struct {
 	_ struct{} `type:"structure"`
@@ -34440,7 +34915,8 @@ func (s ReplaceTopicRuleOutput) GoString() string {
 type RepublishAction struct {
 	_ struct{} `type:"structure"`
 
-	// The Quality of Service (QoS) level to use when republishing messages.
+	// The Quality of Service (QoS) level to use when republishing messages. The
+	// default value is 0.
 	Qos *int64 `locationName:"qos" type:"integer"`
 
 	// The ARN of the IAM role that grants access.
@@ -36084,8 +36560,29 @@ func (s *StatisticalThreshold) SetStatistic(v string) *StatisticalThreshold {
 type Statistics struct {
 	_ struct{} `type:"structure"`
 
+	// The average of the aggregated field values.
+	Average *float64 `locationName:"average" type:"double"`
+
 	// The count of things that match the query.
 	Count *int64 `locationName:"count" type:"integer"`
+
+	// The maximum aggregated field value.
+	Maximum *float64 `locationName:"maximum" type:"double"`
+
+	// The minimum aggregated field value.
+	Minimum *float64 `locationName:"minimum" type:"double"`
+
+	// The standard deviation of the aggregated field valuesl
+	StdDeviation *float64 `locationName:"stdDeviation" type:"double"`
+
+	// The sum of the aggregated field values.
+	Sum *float64 `locationName:"sum" type:"double"`
+
+	// The sum of the squares of the aggregated field values.
+	SumOfSquares *float64 `locationName:"sumOfSquares" type:"double"`
+
+	// The variance of the aggregated field values.
+	Variance *float64 `locationName:"variance" type:"double"`
 }
 
 // String returns the string representation
@@ -36098,12 +36595,54 @@ func (s Statistics) GoString() string {
 	return s.String()
 }
 
+// SetAverage sets the Average field's value.
+func (s *Statistics) SetAverage(v float64) *Statistics {
+	s.Average = &v
+	return s
+}
+
 // SetCount sets the Count field's value.
 func (s *Statistics) SetCount(v int64) *Statistics {
 	s.Count = &v
 	return s
 }
 
+// SetMaximum sets the Maximum field's value.
+func (s *Statistics) SetMaximum(v float64) *Statistics {
+	s.Maximum = &v
+	return s
+}
+
+// SetMinimum sets the Minimum field's value.
+func (s *Statistics) SetMinimum(v float64) *Statistics {
+	s.Minimum = &v
+	return s
+}
+
+// SetStdDeviation sets the StdDeviation field's value.
+func (s *Statistics) SetStdDeviation(v float64) *Statistics {
+	s.StdDeviation = &v
+	return s
+}
+
+// SetSum sets the Sum field's value.
+func (s *Statistics) SetSum(v float64) *Statistics {
+	s.Sum = &v
+	return s
+}
+
+// SetSumOfSquares sets the SumOfSquares field's value.
+func (s *Statistics) SetSumOfSquares(v float64) *Statistics {
+	s.SumOfSquares = &v
+	return s
+}
+
+// SetVariance sets the Variance field's value.
+func (s *Statistics) SetVariance(v float64) *Statistics {
+	s.Variance = &v
+	return s
+}
+
 // Starts execution of a Step Functions state machine.
 type StepFunctionsAction struct {
 	_ struct{} `type:"structure"`
@@ -37183,6 +37722,13 @@ func (s *ThingGroupDocument) SetThingGroupName(v string) *ThingGroupDocument {
 type ThingGroupIndexingConfiguration struct {
 	_ struct{} `type:"structure"`
 
+	// Contains custom field names and their data type.
+	CustomFields []*Field `locationName:"customFields" type:"list"`
+
+	// Contains fields that are indexed and whose types are already known by the
+	// Fleet Indexing service.
+	ManagedFields []*Field `locationName:"managedFields" type:"list"`
+
 	// Thing group indexing mode.
 	//
 	// ThingGroupIndexingMode is a required field
@@ -37212,6 +37758,18 @@ func (s *ThingGroupIndexingConfiguration) Validate() error {
 	return nil
 }
 
+// SetCustomFields sets the CustomFields field's value.
+func (s *ThingGroupIndexingConfiguration) SetCustomFields(v []*Field) *ThingGroupIndexingConfiguration {
+	s.CustomFields = v
+	return s
+}
+
+// SetManagedFields sets the ManagedFields field's value.
+func (s *ThingGroupIndexingConfiguration) SetManagedFields(v []*Field) *ThingGroupIndexingConfiguration {
+	s.ManagedFields = v
+	return s
+}
+
 // SetThingGroupIndexingMode sets the ThingGroupIndexingMode field's value.
 func (s *ThingGroupIndexingConfiguration) SetThingGroupIndexingMode(v string) *ThingGroupIndexingConfiguration {
 	s.ThingGroupIndexingMode = &v
@@ -37298,6 +37856,13 @@ func (s *ThingGroupProperties) SetThingGroupDescription(v string) *ThingGroupPro
 type ThingIndexingConfiguration struct {
 	_ struct{} `type:"structure"`
 
+	// Contains custom field names and their data type.
+	CustomFields []*Field `locationName:"customFields" type:"list"`
+
+	// Contains fields that are indexed and whose types are already known by the
+	// Fleet Indexing service.
+	ManagedFields []*Field `locationName:"managedFields" type:"list"`
+
 	// Thing connectivity indexing mode. Valid values are:
 	//
 	//    * STATUS – Your thing index contains connectivity status. To enable
@@ -37342,6 +37907,18 @@ func (s *ThingIndexingConfiguration) Validate() error {
 	return nil
 }
 
+// SetCustomFields sets the CustomFields field's value.
+func (s *ThingIndexingConfiguration) SetCustomFields(v []*Field) *ThingIndexingConfiguration {
+	s.CustomFields = v
+	return s
+}
+
+// SetManagedFields sets the ManagedFields field's value.
+func (s *ThingIndexingConfiguration) SetManagedFields(v []*Field) *ThingIndexingConfiguration {
+	s.ManagedFields = v
+	return s
+}
+
 // SetThingConnectivityIndexingMode sets the ThingConnectivityIndexingMode field's value.
 func (s *ThingIndexingConfiguration) SetThingConnectivityIndexingMode(v string) *ThingIndexingConfiguration {
 	s.ThingConnectivityIndexingMode = &v
@@ -40357,6 +40934,17 @@ const (
 	EventTypeCaCertificate = "CA_CERTIFICATE"
 )
 
+const (
+	// FieldTypeNumber is a FieldType enum value
+	FieldTypeNumber = "Number"
+
+	// FieldTypeString is a FieldType enum value
+	FieldTypeString = "String"
+
+	// FieldTypeBoolean is a FieldType enum value
+	FieldTypeBoolean = "Boolean"
+)
+
 const (
 	// IndexStatusActive is a IndexStatus enum value
 	IndexStatusActive = "ACTIVE"
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 141002e81204..a68cf3e01ec2 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -21,7 +21,7 @@ github.com/apparentlymart/go-cidr/cidr
 github.com/apparentlymart/go-textseg/textseg
 # github.com/armon/go-radix v1.0.0
 github.com/armon/go-radix
-# github.com/aws/aws-sdk-go v1.25.31
+# github.com/aws/aws-sdk-go v1.25.34
 github.com/aws/aws-sdk-go/aws
 github.com/aws/aws-sdk-go/aws/arn
 github.com/aws/aws-sdk-go/aws/awserr
diff --git a/website/docs/d/iam_policy_document.html.markdown b/website/docs/d/iam_policy_document.html.markdown
index 4b7f193b3e8f..d8be0d66c6c6 100644
--- a/website/docs/d/iam_policy_document.html.markdown
+++ b/website/docs/d/iam_policy_document.html.markdown
@@ -14,7 +14,7 @@ This is a data source which can be used to construct a JSON representation of
 an IAM policy document, for use with resources which expect policy documents,
 such as the `aws_iam_policy` resource.
 
--> For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+-> For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 
 ```hcl
 data "aws_iam_policy_document" "example" {
diff --git a/website/docs/guides/eks-getting-started.html.md b/website/docs/guides/eks-getting-started.html.md
deleted file mode 100644
index 9029eac0274c..000000000000
--- a/website/docs/guides/eks-getting-started.html.md
+++ /dev/null
@@ -1,608 +0,0 @@
----
-layout: "aws"
-page_title: "EKS Getting Started Guide"
-description: |-
-  Using Terraform to configure AWS EKS.
----
-
-# Getting Started with AWS EKS
-
-The Amazon Web Services EKS service allows for simplified management of
-[Kubernetes](https://kubernetes.io/) servers. While the service itself is
-quite simple from an operator perspective, understanding how it interconnects
-with other pieces of the AWS service universe and how to configure local
-Kubernetes clients to manage clusters can be helpful.
-
-While the [EKS User Guide](https://docs.aws.amazon.com/eks/latest/userguide/)
-provides much of the up-to-date information about getting started with the service
-from a generic standpoint, this guide provides a Terraform configuration based
-introduction.
-
-This guide will show how to deploy a sample architecture using Terraform. The
-guide assumes some basic familiarity with Kubernetes but does not
-assume any pre-existing deployment. It also assumes that you are familiar
-with the usual Terraform plan/apply workflow; if you're new to Terraform
-itself, refer first to [the Getting Started guide](/intro/getting-started/install.html).
-
-It is worth noting that there are other valid ways to use these services and
-resources that make different tradeoffs. We encourage readers to consult the official documentation for the respective services and resources for additional context and
-best-practices. This guide can still serve as an introduction to the main resources
-associated with these services, even if you choose a different architecture.
-
-<!-- TOC depthFrom:2 -->
-
-- [Guide Overview](#guide-overview)
-- [Preparation](#preparation)
-- [Create Sample Architecture in AWS](#create-sample-architecture-in-aws)
-    - [Cluster Name Variable](#cluster-name-variable)
-    - [Base VPC Networking](#base-vpc-networking)
-    - [Kubernetes Masters](#kubernetes-masters)
-        - [EKS Master Cluster IAM Role](#eks-master-cluster-iam-role)
-        - [EKS Master Cluster Security Group](#eks-master-cluster-security-group)
-        - [EKS Master Cluster](#eks-master-cluster)
-    - [Configuring kubectl for EKS](#configuring-kubectl-for-eks)
-    - [Kubernetes Worker Nodes](#kubernetes-worker-nodes)
-        - [Worker Node IAM Role and Instance Profile](#worker-node-iam-role-and-instance-profile)
-        - [Worker Node Security Group](#worker-node-security-group)
-        - [Worker Node Access to EKS Master Cluster](#worker-node-access-to-eks-master-cluster)
-        - [Worker Node AutoScaling Group](#worker-node-autoscaling-group)
-        - [Required Kubernetes Configuration to Join Worker Nodes](#required-kubernetes-configuration-to-join-worker-nodes)
-- [Destroy Sample Architecture in AWS](#destroy-sample-architecture-in-aws)
-
-<!-- /TOC -->
-
-## Guide Overview
-
-~> **Warning:** Following this guide will create objects in your AWS account
-that will cost you money against your AWS bill.
-
-The sample architecture introduced here includes the following resources:
-
-* EKS Cluster: AWS managed Kubernetes cluster of master servers
-* AutoScaling Group containing 2 m4.large instances based on the latest EKS Amazon Linux 2 AMI: Operator managed Kubernetes worker nodes for running Kubernetes service deployments
-* Associated VPC, Internet Gateway, Security Groups, and Subnets: Operator managed networking resources for the EKS Cluster and worker node instances
-* Associated IAM Roles and Policies: Operator managed access resources for EKS and worker node instances
-
-## Preparation
-
-In order to follow this guide you will need an AWS account and to have
-Terraform installed.
-[Configure your credentials](/docs/providers/aws/index.html#authentication)
-so that Terraform is able to act on your behalf.
-
-For simplicity here, we will assume you are already using a set of IAM
-credentials with suitable access to create AutoScaling, EC2, EKS, and IAM
-resources. If you are not sure and are working in an AWS account used only for
-development, the simplest approach to get started is to use credentials with
-full administrative access to the target AWS account.
-
-If you are planning to locally use the standard Kubernetes client, `kubectl`,
-it must be at least version 1.10 to support `exec` authentication with usage
-of `aws-iam-authenticator`. For additional information about installation
-and configuration of these applications, see their official documentation.
-
-Relevant Links:
-
-* [Kubernetes Client Install Guide](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-* [AWS IAM Authenticator](https://github.com/kubernetes-sigs/aws-iam-authenticator)
-
-## Create Sample Architecture in AWS
-
-~> **NOTE:** We recommend using this guide to build a separate Terraform
-configuration (for easy tear down) and more importantly running it in a
-separate AWS account as your production infrastructure. While it is
-self-contained and should not affect existing infrastructure, its always best
-to be cautious!
-
-~> **NOTE:** If you would rather see the full sample Terraform configuration
-for this guide rather than the individual pieces, it can be found at:
-https://github.com/terraform-providers/terraform-provider-aws/tree/master/examples/eks-getting-started
-
-### Cluster Name Variable
-
-The below sample Terraform configurations reference a variable called
-`cluster-name` (`var.cluster-name`) which is used for consistency. Feel free
-to substitute your own cluster name or create the variable configuration:
-
-```hcl
-variable "cluster-name" {
-  default = "terraform-eks-demo"
-  type    = "string"
-}
-```
-
-### Base VPC Networking
-
-EKS requires the usage of [Virtual Private Cloud](https://aws.amazon.com/vpc/) to
-provide the base for its networking configuration.
-
-~> **NOTE:** The usage of the specific `kubernetes.io/cluster/*` resource tags below are required for EKS and Kubernetes to discover and manage networking resources.
-
-The below will create a 10.0.0.0/16 VPC, two 10.0.X.0/24 subnets, an internet
-gateway, and setup the subnet routing to route external traffic through the
-internet gateway:
-
-```hcl
-# This data source is included for ease of sample architecture deployment
-# and can be swapped out as necessary.
-data "aws_availability_zones" "available" {}
-
-resource "aws_vpc" "demo" {
-  cidr_block = "10.0.0.0/16"
-
-  tags = "${
-    map(
-     "Name", "terraform-eks-demo-node",
-     "kubernetes.io/cluster/${var.cluster-name}", "shared",
-    )
-  }"
-}
-
-resource "aws_subnet" "demo" {
-  count = 2
-
-  availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
-  cidr_block        = "10.0.${count.index}.0/24"
-  vpc_id            = "${aws_vpc.demo.id}"
-
-  tags = "${
-    map(
-     "Name", "terraform-eks-demo-node",
-     "kubernetes.io/cluster/${var.cluster-name}", "shared",
-    )
-  }"
-}
-
-resource "aws_internet_gateway" "demo" {
-  vpc_id = "${aws_vpc.demo.id}"
-
-  tags = {
-    Name = "terraform-eks-demo"
-  }
-}
-
-resource "aws_route_table" "demo" {
-  vpc_id = "${aws_vpc.demo.id}"
-
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = "${aws_internet_gateway.demo.id}"
-  }
-}
-
-resource "aws_route_table_association" "demo" {
-  count = 2
-
-  subnet_id      = "${aws_subnet.demo.*.id[count.index]}"
-  route_table_id = "${aws_route_table.demo.id}"
-}
-```
-
-### Kubernetes Masters
-
-This is where the EKS service comes into play. It requires a few operator
-managed resources beforehand so that Kubernetes can properly manage other
-AWS services as well as allow inbound networking communication from your
-local workstation (if desired) and worker nodes.
-
-#### EKS Master Cluster IAM Role
-
-The below is an example IAM role and policy to allow the EKS service to
-manage or retrieve data from other AWS services. It is also possible to create
-these policies with the [`aws_iam_policy_document` data source](/docs/providers/aws/d/iam_policy_document.html)
-
-For the latest required policy, see the [EKS User Guide](https://docs.aws.amazon.com/eks/latest/userguide/).
-
-```hcl
-resource "aws_iam_role" "demo-cluster" {
-  name = "terraform-eks-demo-cluster"
-
-  assume_role_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "eks.amazonaws.com"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-POLICY
-}
-
-resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSClusterPolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
-  role       = "${aws_iam_role.demo-cluster.name}"
-}
-
-resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSServicePolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
-  role       = "${aws_iam_role.demo-cluster.name}"
-}
-```
-
-#### EKS Master Cluster Security Group
-
-This security group controls networking access to the Kubernetes masters.
-We will later configure this with an ingress rule to allow traffic from the
-worker nodes.
-
-```hcl
-resource "aws_security_group" "demo-cluster" {
-  name        = "terraform-eks-demo-cluster"
-  description = "Cluster communication with worker nodes"
-  vpc_id      = "${aws_vpc.demo.id}"
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Name = "terraform-eks-demo"
-  }
-}
-
-# OPTIONAL: Allow inbound traffic from your local workstation external IP
-#           to the Kubernetes. You will need to replace A.B.C.D below with
-#           your real IP. Services like icanhazip.com can help you find this.
-resource "aws_security_group_rule" "demo-cluster-ingress-workstation-https" {
-  cidr_blocks       = ["A.B.C.D/32"]
-  description       = "Allow workstation to communicate with the cluster API Server"
-  from_port         = 443
-  protocol          = "tcp"
-  security_group_id = "${aws_security_group.demo-cluster.id}"
-  to_port           = 443
-  type              = "ingress"
-}
-```
-
-#### EKS Master Cluster
-
-This resource is the actual Kubernetes master cluster. It can take a few minutes to
-provision in AWS.
-
-```hcl
-resource "aws_eks_cluster" "demo" {
-  name            = "${var.cluster-name}"
-  role_arn        = "${aws_iam_role.demo-cluster.arn}"
-
-  vpc_config {
-    security_group_ids = ["${aws_security_group.demo-cluster.id}"]
-    subnet_ids         = ["${aws_subnet.demo.*.id}"]
-  }
-
-  depends_on = [
-    "aws_iam_role_policy_attachment.demo-cluster-AmazonEKSClusterPolicy",
-    "aws_iam_role_policy_attachment.demo-cluster-AmazonEKSServicePolicy",
-  ]
-}
-```
-
-### Configuring kubectl for EKS
-
--> This section only provides some example methods for configuring `kubectl` to communicate with EKS servers. Managing Kubernetes clients and configurations is outside the scope of this guide.
-
-If you are planning on using `kubectl` to manage the Kubernetes cluster, now
-might be a great time to configure your client. After configuration, you can
-verify cluster access via `kubectl version` displaying server version
-information in addition to local client version information.
-
-The AWS CLI [`eks update-kubeconfig`](https://docs.aws.amazon.com/cli/latest/reference/eks/update-kubeconfig.html)
-command provides a simple method to create or update configuration files.
-
-If you would rather update your configuration manually, the below Terraform output
-generates a sample `kubectl` configuration to connect to your cluster. This can
-be placed into a Kubernetes configuration file, e.g. `~/.kube/config`
-
-```hcl
-locals {
-  kubeconfig = <<KUBECONFIG
-
-
-apiVersion: v1
-clusters:
-- cluster:
-    server: ${aws_eks_cluster.demo.endpoint}
-    certificate-authority-data: ${aws_eks_cluster.demo.certificate_authority.0.data}
-  name: kubernetes
-contexts:
-- context:
-    cluster: kubernetes
-    user: aws
-  name: aws
-current-context: aws
-kind: Config
-preferences: {}
-users:
-- name: aws
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1alpha1
-      command: aws-iam-authenticator
-      args:
-        - "token"
-        - "-i"
-        - "${var.cluster-name}"
-KUBECONFIG
-}
-
-output "kubeconfig" {
-  value = "${local.kubeconfig}"
-}
-```
-
-### Kubernetes Worker Nodes
-
-The EKS service does not currently provide managed resources for running
-worker nodes. Here we will create a few operator managed resources so that
-Kubernetes can properly manage other AWS services, networking access, and
-finally a configuration that allows automatic scaling of worker nodes.
-
-#### Worker Node IAM Role and Instance Profile
-
-The below is an example IAM role and policy to allow the worker nodes to
-manage or retrieve data from other AWS services. It is used by Kubernetes
-to allow worker nodes to join the cluster. It is also possible to create
-these policies with the [`aws_iam_policy_document` data source](/docs/providers/aws/d/iam_policy_document.html)
-
-For the latest required policy, see the [EKS User Guide](https://docs.aws.amazon.com/eks/latest/userguide/).
-
-```hcl
-resource "aws_iam_role" "demo-node" {
-  name = "terraform-eks-demo-node"
-
-  assume_role_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "ec2.amazonaws.com"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-POLICY
-}
-
-resource "aws_iam_role_policy_attachment" "demo-node-AmazonEKSWorkerNodePolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
-  role       = "${aws_iam_role.demo-node.name}"
-}
-
-resource "aws_iam_role_policy_attachment" "demo-node-AmazonEKS_CNI_Policy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
-  role       = "${aws_iam_role.demo-node.name}"
-}
-
-resource "aws_iam_role_policy_attachment" "demo-node-AmazonEC2ContainerRegistryReadOnly" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
-  role       = "${aws_iam_role.demo-node.name}"
-}
-
-resource "aws_iam_instance_profile" "demo-node" {
-  name = "terraform-eks-demo"
-  role = "${aws_iam_role.demo-node.name}"
-}
-```
-
-#### Worker Node Security Group
-
-This security group controls networking access to the Kubernetes worker nodes.
-
-```hcl
-resource "aws_security_group" "demo-node" {
-  name        = "terraform-eks-demo-node"
-  description = "Security group for all nodes in the cluster"
-  vpc_id      = "${aws_vpc.demo.id}"
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = "${
-    map(
-     "Name", "terraform-eks-demo-node",
-     "kubernetes.io/cluster/${var.cluster-name}", "owned",
-    )
-  }"
-}
-
-resource "aws_security_group_rule" "demo-node-ingress-self" {
-  description              = "Allow node to communicate with each other"
-  from_port                = 0
-  protocol                 = "-1"
-  security_group_id        = "${aws_security_group.demo-node.id}"
-  source_security_group_id = "${aws_security_group.demo-node.id}"
-  to_port                  = 65535
-  type                     = "ingress"
-}
-
-resource "aws_security_group_rule" "demo-node-ingress-cluster-https" {
-  description              = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
-  from_port                = 443
-  protocol                 = "tcp"
-  security_group_id        = "${aws_security_group.demo-node.id}"
-  source_security_group_id = "${aws_security_group.demo-cluster.id}"
-  to_port                  = 443
-  type                     = "ingress"
-}
-
-resource "aws_security_group_rule" "demo-node-ingress-cluster-others" {
-  description              = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
-  from_port                = 1025
-  protocol                 = "tcp"
-  security_group_id        = "${aws_security_group.demo-node.id}"
-  source_security_group_id = "${aws_security_group.demo-cluster.id}"
-  to_port                  = 65535
-  type                     = "ingress"
-}
-```
-
-#### Worker Node Access to EKS Master Cluster
-
-Now that we have a way to know where traffic from the worker nodes is coming
-from, we can allow the worker nodes networking access to the EKS master cluster.
-
-```hcl
-resource "aws_security_group_rule" "demo-cluster-ingress-node-https" {
-  description              = "Allow pods to communicate with the cluster API Server"
-  from_port                = 443
-  protocol                 = "tcp"
-  security_group_id        = "${aws_security_group.demo-cluster.id}"
-  source_security_group_id = "${aws_security_group.demo-node.id}"
-  to_port                  = 443
-  type                     = "ingress"
-}
-```
-
-#### Worker Node AutoScaling Group
-
-Now we have everything in place to create and manage EC2 instances that will
-serve as our worker nodes in the Kubernetes cluster. This setup utilizes
-an EC2 AutoScaling Group (ASG) rather than manually working with EC2 instances.
-This offers flexibility to scale up and down the worker nodes on demand when
-used in conjunction with AutoScaling policies (not implemented here).
-
-First, let us create a data source to fetch the latest Amazon Machine Image
-(AMI) that Amazon provides with an EKS compatible Kubernetes baked in. It will filter for and select an AMI compatible with the specific Kubernetes version being deployed.
-
-```hcl
-data "aws_ami" "eks-worker" {
-  filter {
-    name   = "name"
-    values = ["amazon-eks-node-${aws_eks_cluster.demo.version}-v*"]
-  }
-
-  most_recent = true
-  owners      = ["602401143452"] # Amazon EKS AMI Account ID
-}
-```
-
-Next, lets create an AutoScaling Launch Configuration that uses all our
-prerequisite resources to define how to create EC2 instances using them.
-
-```hcl
-# This data source is included for ease of sample architecture deployment
-# and can be swapped out as necessary.
-data "aws_region" "current" {}
-
-# EKS currently documents this required userdata for EKS worker nodes to
-# properly configure Kubernetes applications on the EC2 instance.
-# We utilize a Terraform local here to simplify Base64 encoding this
-# information into the AutoScaling Launch Configuration.
-# More information: https://docs.aws.amazon.com/eks/latest/userguide/launch-workers.html
-locals {
-  demo-node-userdata = <<USERDATA
-#!/bin/bash
-set -o xtrace
-/etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.demo.endpoint}' --b64-cluster-ca '${aws_eks_cluster.demo.certificate_authority.0.data}' '${var.cluster-name}'
-USERDATA
-}
-
-resource "aws_launch_configuration" "demo" {
-  associate_public_ip_address = true
-  iam_instance_profile        = "${aws_iam_instance_profile.demo-node.name}"
-  image_id                    = "${data.aws_ami.eks-worker.id}"
-  instance_type               = "m4.large"
-  name_prefix                 = "terraform-eks-demo"
-  security_groups             = ["${aws_security_group.demo-node.id}"]
-  user_data_base64            = "${base64encode(local.demo-node-userdata)}"
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-```
-
-Finally, we create an AutoScaling Group that actually launches EC2 instances
-based on the AutoScaling Launch Configuration.
-
-~> **NOTE:** The usage of the specific `kubernetes.io/cluster/*` resource tag below is required for EKS and Kubernetes to discover and manage compute resources.
-
-```hcl
-resource "aws_autoscaling_group" "demo" {
-  desired_capacity     = 2
-  launch_configuration = "${aws_launch_configuration.demo.id}"
-  max_size             = 2
-  min_size             = 1
-  name                 = "terraform-eks-demo"
-  vpc_zone_identifier  = ["${aws_subnet.demo.*.id}"]
-
-  tag {
-    key                 = "Name"
-    value               = "terraform-eks-demo"
-    propagate_at_launch = true
-  }
-
-  tag {
-    key                 = "kubernetes.io/cluster/${var.cluster-name}"
-    value               = "owned"
-    propagate_at_launch = true
-  }
-}
-```
-
-~> **NOTE:** At this point, your Kubernetes cluster will have running masters
-and worker nodes, _however_, the worker nodes will not be able to join the
-Kubernetes cluster quite yet. The next section has the required Kubernetes
-configuration to enable the worker nodes to join the cluster.
-
-#### Required Kubernetes Configuration to Join Worker Nodes
-
--> While managing Kubernetes cluster and client configurations are beyond the scope of this guide, we provide an example of how to apply the required Kubernetes [`ConfigMap`](http://kubernetes.io/docs/user-guide/configmap/) via `kubectl` below for completeness. See also the [Configuring kubectl for EKS](#configuring-kubectl-for-eks) section.
-
-The EKS service does not provide a cluster-level API parameter or resource to
-automatically configure the underlying Kubernetes cluster to allow worker nodes
-to join the cluster via AWS IAM role authentication.
-
-To output an example IAM Role authentication `ConfigMap` from your
-Terraform configuration:
-
-```hcl
-locals {
-  config_map_aws_auth = <<CONFIGMAPAWSAUTH
-
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: aws-auth
-  namespace: kube-system
-data:
-  mapRoles: |
-    - rolearn: ${aws_iam_role.demo-node.arn}
-      username: system:node:{{EC2PrivateDNSName}}
-      groups:
-        - system:bootstrappers
-        - system:nodes
-CONFIGMAPAWSAUTH
-}
-
-output "config_map_aws_auth" {
-  value = "${local.config_map_aws_auth}"
-}
-```
-
-* Run `terraform output config_map_aws_auth` and save the configuration into a file, e.g. `config_map_aws_auth.yaml`
-* Run `kubectl apply -f config_map_aws_auth.yaml`
-* You can verify the worker nodes are joining the cluster via: `kubectl get nodes --watch`
-
-At this point, you should be able to utilize Kubernetes as expected!
-
-## Destroy Sample Architecture in AWS
-
-Assuming you have built the sample architecture in a separate configuration,
-simply use `terraform destroy` to tear down all associated resources with this
-guide.
diff --git a/website/docs/guides/iam-policy-documents.html.md b/website/docs/guides/iam-policy-documents.html.md
deleted file mode 100644
index fd810e3d6d8d..000000000000
--- a/website/docs/guides/iam-policy-documents.html.md
+++ /dev/null
@@ -1,168 +0,0 @@
----
-layout: "aws"
-page_title: "AWS IAM Policy Documents with Terraform"
-description: |-
-  Using Terraform to configure AWS IAM policy documents.
----
-
-# AWS IAM Policy Documents with Terraform
-
-AWS leverages a standard JSON Identity and Access Management (IAM) policy document format across many services to control authorization to resources and API actions. This guide is designed to highlight some recommended configuration patterns with how Terraform and the AWS provider can build these policy documents.
-
-The example policy documents and resources in this guide are for illustrative purposes only. Full documentation about the IAM policy format and supported elements can be found in the [AWS IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html).
-
-~> **NOTE:** Some AWS services only allow a subset of the policy elements or policy variables. For more information, see the AWS User Guide for the service you are configuring.
-
-~> **NOTE:** [IAM policy variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html), e.g. `${aws:username}`, use the same configuration syntax (`${...}`) as Terraform interpolation. When implementing IAM policy documents with these IAM variables, you may receive syntax errors from Terraform. You can escape the dollar character within your Terraform configration to prevent the error, e.g. `$${aws:username}`.
-
-<!-- TOC depthFrom:2 -->
-
-- [Choosing a Configuration Method](#choosing-a-configuration-method)
-- [Recommended Configuration Method Examples](#recommended-configuration-method-examples)
-    - [aws_iam_policy_document Data Source](#aws_iam_policy_document-data-source)
-    - [Multiple Line Heredoc Syntax](#multiple-line-heredoc-syntax)
-- [Other Configuration Method Examples](#other-configuration-method-examples)
-    - [Single Line String Syntax](#single-line-string-syntax)
-    - [file() Interpolation Function](#file-interpolation-function)
-    - [template_file Data Source](#template_file-data-source)
-
-<!-- /TOC -->
-
-## Choosing a Configuration Method
-
-Terraform offers flexibility when creating configurations to match the architectural structure of teams and infrastructure. In most situations, using native functionality within Terraform and its providers will be the simplest to understand, eliminating context switching with other tooling, file sprawl, or differing file formats. Configuration examples of the available methods can be found later in the guide.
-
-The recommended approach to building AWS IAM policy documents within Terraform is the highly customizable [`aws_iam_policy_document` data source](#aws_iam_policy_document-data-source). A short list of benefits over other methods include:
-
-- Native Terraform configuration - no need to worry about JSON formatting or syntax
-- Policy layering - create policy documents that combine and/or overwrite other policy documents
-- Built-in policy error checking
-
-Otherwise in simple cases, such as a statically defined [assume role policy for an IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html), Terraform's [multiple line heredoc syntax](#multiple-line-heredoc-syntax) allows the easiest formatting without any indirection of a separate data source configuration or file.
-
-Additional methods are available, such [single line string syntax](#single-line-string-syntax), the [file() interpolation function](#file-interpolation-function), and the [template_file data source](#template_file-data-source), however their usage is discouraged due to their complexity.
-
-## Recommended Configuration Method Examples
-
-These configuration methods are the simplest and most powerful within Terraform.
-
-### aws_iam_policy_document Data Source
-
--> For complete implementation information and examples, see the [`aws_iam_policy_document` data source documentation](/docs/providers/aws/d/iam_policy_document.html).
-
-```hcl
-data "aws_iam_policy_document" "example" {
-  statement {
-    actions   = ["*"]
-    resources = ["*"]
-  }
-}
-
-resource "aws_iam_policy" "example" {
-  # ... other configuration ...
-
-  policy = "${data.aws_iam_policy_document.example.json}"
-}
-```
-
-### Multiple Line Heredoc Syntax
-
-Interpolation is available within the heredoc string if necessary.
-
-For example:
-
-```hcl
-resource "aws_iam_policy" "example" {
-  # ... other configuration ...
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": {
-    "Effect": "Allow",
-    "Action": "*",
-    "Resource": "*"
-  }
-}
-POLICY
-}
-```
-
-## Other Configuration Method Examples
-
-These other configuration methods are provided only for reference and not meant to be an authoritative source of information.
-
-### Single Line String Syntax
-
-Single line IAM policy documents can be constructed with regular string syntax. Interpolation is available within the string if necessary. Since the double quotes within the IAM policy JSON conflict with Terraform's double quotes for declaring a string, they need to be escaped (`\"`).
-
-For example:
-
-```hcl
-resource "aws_iam_policy" "example" {
-  # ... other configuration ...
-
-  policy = "{\"Version\": \"2012-10-17\", \"Statement\": {\"Effect\": \"Allow\", \"Action\": \"*\", \"Resource\": \"*\"}}"
-}
-```
-
-### file() Interpolation Function
-
-To decouple the IAM policy JSON from the Terraform configuration, Terraform has a built-in [`file()` function](https://www.terraform.io/docs/configuration/functions/file.html), which can read the contents of a local file into the configuration.
-
-For example, creating a file called `policy.json` with the contents:
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": {
-    "Effect": "Allow",
-    "Action": "*",
-    "Resource": "*"
-  }
-}
-```
-
-Those contents can be read into the Terraform configuration via:
-
-```hcl
-resource "aws_iam_policy" "example" {
-  # ... other configuration ...
-
-  policy = "${file("policy.json")}"
-}
-```
-
-### template_file Data Source
-
-To enable interpolation in decoupled files, the [`template_file` data source](/docs/providers/template/d/file.html) is available.
-
-For example, creating a file called `policy.json.tpl` with the contents:
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": {
-    "Effect": "Allow",
-    "Action": "*",
-    "Resource": "${resource}"
-  }
-}
-```
-
-Those contents can be read and interpolated into the Terraform configuration via:
-
-```hcl
-data "template_file" "example" {
-  template = "${file("policy.json.tpl")}"
-
-  vars = {
-    resource = "${aws_vpc.example.arn}"
-  }
-}
-
-resource "aws_iam_policy" "example" {
-  # ... other configuration ...
-
-  policy = "${data.template_file.example.rendered}"
-}
-```
diff --git a/website/docs/guides/serverless-with-aws-lambda-and-api-gateway.html.md b/website/docs/guides/serverless-with-aws-lambda-and-api-gateway.html.md
deleted file mode 100644
index f1ef45cfc34f..000000000000
--- a/website/docs/guides/serverless-with-aws-lambda-and-api-gateway.html.md
+++ /dev/null
@@ -1,641 +0,0 @@
----
-layout: "aws"
-page_title: "Serverless with AWS Lambda and API Gateway"
-description: |-
-  Using Terraform to configure a serverless application with AWS Lambda and API Gateway.
----
-
-# Serverless Applications with AWS Lambda and API Gateway
-
-_Serverless computing_ is a cloud computing model in which a cloud provider
-automatically manages the provisioning and allocation of compute resources.
-This contrasts with traditional cloud computing where the user is responsible
-for directly managing virtual servers.
-
-A popular approach to running "serverless" web applications is to implement
-the application functionality as one or more functions in
-[AWS Lambda](https://aws.amazon.com/lambda/) and then expose these for public
-consumption using [Amazon API Gateway](https://aws.amazon.com/api-gateway/).
-
-This guide will show how to deploy such an architecture using Terraform. The
-guide assumes some basic familiarity with Lambda and API Gateway but does not
-assume any pre-existing deployment. It also assumes that you are familiar
-with the usual Terraform plan/apply workflow; if you're new to Terraform
-itself, refer first to [the Getting Started guide](/intro/getting-started/install.html).
-
-This is a slightly-opinionated guide, which chooses to ignore the built-in
-versioning and staged deployment mechanisms in AWS Lambda and API Gateway.
-In many cases these features are not necessary when using Terraform because
-changes can be tracked and deployed by keeping the Terraform configuration
-in a version-control repository. It also uses API Gateway in a very simple
-way, proxying all requests to a single AWS Lambda function that is expected
-to contain its own request routing logic.
-
-As usual, there are other valid ways to use these services that make different
-tradeoffs. We encourage readers to consult the official documentation for
-the respective services for additional context and best-practices. This guide
-can still serve as an introduction to the main resources associated with
-these services, even if you choose a different architecture.
-
-## Preparation
-
-In order to follow this guide you will need an AWS account and to have
-Terraform installed.
-[Configure your credentials](/docs/providers/aws/index.html#authentication)
-so that Terraform is able to act on your behalf.
-
-For simplicity here we will assume you are already using a set of IAM
-credentials with suitable access to create Lambda functions and work with API
-Gateway. If you aren't sure and are working in an AWS account used only for
-development, the simplest approach to get started is to use credentials with
-full administrative access to the target AWS account.
-
-In the following section we will manually emulate an automatic build process
-using the `zip` command line tool and the [AWS CLI](https://aws.amazon.com/cli/).
-The latter must also have access to your AWS credentials, and the easiest way
-to achieve this is to provide them via environment variables so that they can
-be used by both the AWS CLI and Terraform.
-
-~> **Warning:** Following this tutorial will create objects in your AWS account
-that will cost you money against your AWS bill.
-
-## Building the Lambda Function Package
-
-AWS Lambda expects a function's implementation to be provided as an archive
-containing the function source code and any other static files needed to
-execute the function.
-
-Terraform is not a build tool, so the zip file must be prepared using a
-separate build process prior to deploying it with Terraform. For a real
-application we recommend automating your build via a CI system, whose job
-is to run any necessary build actions (library installation, compilation, etc),
-produce the deployment zip file as a build artifact, and then upload that
-artifact into an Amazon S3 bucket from which it will be read for deployment.
-
-For the sake of this tutorial we will perform these build steps manually and
-build a very simple AWS Lambda function. Start by creating a new directory
-called `example` that will be used to create the archive, and place in it a
-single source file. We will use the JavaScript runtime in this example, so
-our file is called `main.js` and will contain the following source code:
-
-```js
-'use strict';
-
-exports.handler = function (event, context, callback) {
-    var response = {
-        statusCode: 200,
-        headers: {
-            'Content-Type': 'text/html; charset=utf-8',
-        },
-        body: "<p>Hello world!</p>",
-    };
-    callback(null, response);
-};
-```
-
-The above is the simplest possible Lambda function for use with API Gateway,
-returning a hard-coded "Hello world!" response in the object structure that
-API Gateway expects.
-
-From your command prompt, change to the directory containing that file and
-add it to a zip file in the parent directory:
-
-```
-$ cd example
-$ zip ../example.zip main.js
-  adding: main.js (deflated 33%)
-$ cd ..
-```
-
-In a real build and deploy scenario we would have an S3 bucket set aside for
-staging our archive and would use this to "hand off" these artifacts between
-the build and deploy process. For the sake of this tutorial we will create
-a temporary S3 bucket using the AWS CLI. S3 bucket names are globally unique,
-so you may need to change the `--bucket=` argument in the following example
-and substitute your new bucket name throughout the rest of this tutorial.
-
-```
-$ aws s3api create-bucket --bucket=terraform-serverless-example --region=us-east-1
-```
-
-You can now upload your build artifact into this S3 bucket:
-
-```
-$ aws s3 cp example.zip s3://terraform-serverless-example/v1.0.0/example.zip
-```
-
-A version number is included in the object path to identify this build. Later
-we will demonstrate deploying a new version, which will create another
-separate object.
-
-## Creating the Lambda Function
-
-With the source code artifact built and uploaded to S3, we can now write our
-Terraform configuration to deploy it. In a new directory, create a file
-named `lambda.tf` containing the following configuration:
-
-```hcl
-provider "aws" {
-  region = "us-east-1"
-}
-
-resource "aws_lambda_function" "example" {
-  function_name = "ServerlessExample"
-
-  # The bucket name as created earlier with "aws s3api create-bucket"
-  s3_bucket = "terraform-serverless-example"
-  s3_key    = "v1.0.0/example.zip"
-
-  # "main" is the filename within the zip file (main.js) and "handler"
-  # is the name of the property under which the handler function was
-  # exported in that file.
-  handler = "main.handler"
-  runtime = "nodejs8.10"
-
-  role = "${aws_iam_role.lambda_exec.arn}"
-}
-
-# IAM role which dictates what other AWS services the Lambda function
-# may access.
-resource "aws_iam_role" "lambda_exec" {
-  name = "serverless_example_lambda"
-
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "lambda.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
-}
-```
-
-Each Lambda function must have an associated IAM role which dictates what
-access it has to other AWS services. The above configuration specifies a role
-with no access policy, effectively giving the function no access to any
-AWS services, since our example application requires no such access.
-
-Before you can work with a new configuration directory, it must be initialized
-using `terraform init`, which in this case will install the AWS provider:
-
-```
-$ terraform init
-
-Initializing provider plugins...
-- Checking for available provider plugins on https://releases.hashicorp.com...
-- Downloading plugin for provider "aws" (1.9.0)...
-
-# ...
-
-Terraform has been successfully initialized!
-
-# ...
-```
-
-Now apply the configuration as usual:
-
-```
-$ terraform apply
-
-# ....
-
-aws_iam_role.lambda_exec: Creating...
-  arn:                   "" => "<computed>"
-  assume_role_policy:    "" => "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": \"sts:AssumeRole\",\n      \"Principal\": {\n        \"Service\": \"lambda.amazonaws.com\"\n      },\n      \"Effect\": \"Allow\",\n      \"Sid\": \"\"\n    }\n  ]\n}\n"
-  create_date:           "" => "<computed>"
-  force_detach_policies: "" => "false"
-  name:                  "" => "serverless_example_lambda"
-  path:                  "" => "/"
-  unique_id:             "" => "<computed>"
-aws_iam_role.lambda_exec: Creation complete after 1s (ID: serverless_example_lambda)
-aws_lambda_function.example: Creating...
-  arn:              "" => "<computed>"
-  function_name:    "" => "ServerlessExample"
-  handler:          "" => "main.handler"
-  invoke_arn:       "" => "<computed>"
-  last_modified:    "" => "<computed>"
-  memory_size:      "" => "128"
-  publish:          "" => "false"
-  qualified_arn:    "" => "<computed>"
-  role:             "" => "arn:aws:iam::123456:role/serverless_example_lambda"
-  runtime:          "" => "nodejs8.10"
-  s3_bucket:        "" => "terraform-serverless-example"
-  s3_key:           "" => "v1.0.0/example.zip"
-  source_code_hash: "" => "<computed>"
-  timeout:          "" => "3"
-  tracing_config.#: "" => "<computed>"
-  version:          "" => "<computed>"
-aws_lambda_function.example: Still creating... (10s elapsed)
-aws_lambda_function.example: Creation complete after 11s (ID: ServerlessExample)
-
-Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
-```
-
-After the function is created successfully, try invoking it using the AWS
-CLI:
-
-```
-$ aws lambda invoke --region=us-east-1 --function-name=ServerlessExample output.txt
-{"StatusCode": 200}
-$ cat output.txt
-{
-  "statusCode":200,
-  "headers":{
-    "Content-Type":"text/html; charset=utf-8"
-  },
-  "body":"<p>Hello world!</p>"
-}
-```
-
-With the function working as expected, the next step is to create the API
-Gateway REST API that will provide access to it.
-
-## Configuring API Gateway
-
-API Gateway's name reflects its original purpose as a public-facing frontend
-for REST APIs, but it was later extended with features that make it easy to
-expose an entire web application based on AWS Lambda. These later features
-will be used in this tutorial. The term "REST API" is thus used loosely
-here, since API Gateway is serving as a generic HTTP frontend rather than
-necessarily serving an API.
-
-Create a new file `api_gateway.tf` in the same directory as our `lambda.tf`
-from the previous step. First, configure the root "REST API" object, as follows:
-
-```hcl
-resource "aws_api_gateway_rest_api" "example" {
-  name        = "ServerlessExample"
-  description = "Terraform Serverless Application Example"
-}
-```
-
-The "REST API" is the container for all of the other API Gateway objects we will
-create.
-
-All incoming requests to API Gateway must match with a configured resource and
-method in order to be handled. Append the following to the `lambda.tf` file to
-define a single proxy resource:
-
-```hcl
-resource "aws_api_gateway_resource" "proxy" {
-  rest_api_id = "${aws_api_gateway_rest_api.example.id}"
-  parent_id   = "${aws_api_gateway_rest_api.example.root_resource_id}"
-  path_part   = "{proxy+}"
-}
-
-resource "aws_api_gateway_method" "proxy" {
-  rest_api_id   = "${aws_api_gateway_rest_api.example.id}"
-  resource_id   = "${aws_api_gateway_resource.proxy.id}"
-  http_method   = "ANY"
-  authorization = "NONE"
-}
-```
-
-The special `path_part` value `"{proxy+}"` activates proxy behavior, which
-means that this resource will match _any_ request path. Similarly, the
-`aws_api_gateway_method` block uses a `http_method` of `"ANY"`, which allows
-any request method to be used. Taken together, this means that all incoming
-requests will match this resource.
-
-Each method on an API gateway resource has an _integration_ which specifies
-where incoming requests are routed. Add the following configuration to specify
-that requests to this method should be sent to the Lambda function defined
-earlier:
-
-```hcl
-resource "aws_api_gateway_integration" "lambda" {
-  rest_api_id = "${aws_api_gateway_rest_api.example.id}"
-  resource_id = "${aws_api_gateway_method.proxy.resource_id}"
-  http_method = "${aws_api_gateway_method.proxy.http_method}"
-
-  integration_http_method = "POST"
-  type                    = "AWS_PROXY"
-  uri                     = "${aws_lambda_function.example.invoke_arn}"
-}
-```
-
-The `AWS_PROXY` integration type causes API gateway to call into the API of
-another AWS service. In this case, it will call the AWS Lambda API to create
-an "invocation" of the Lambda function.
-
-Unfortunately the proxy resource cannot match an _empty_ path at the root of
-the API. To handle that, a similar configuration must be applied to the
-_root resource_ that is built in to the REST API object:
-
-```hcl
-resource "aws_api_gateway_method" "proxy_root" {
-  rest_api_id   = "${aws_api_gateway_rest_api.example.id}"
-  resource_id   = "${aws_api_gateway_rest_api.example.root_resource_id}"
-  http_method   = "ANY"
-  authorization = "NONE"
-}
-
-resource "aws_api_gateway_integration" "lambda_root" {
-  rest_api_id = "${aws_api_gateway_rest_api.example.id}"
-  resource_id = "${aws_api_gateway_method.proxy_root.resource_id}"
-  http_method = "${aws_api_gateway_method.proxy_root.http_method}"
-
-  integration_http_method = "POST"
-  type                    = "AWS_PROXY"
-  uri                     = "${aws_lambda_function.example.invoke_arn}"
-}
-```
-
-Finally, you need to create an API Gateway "deployment" in order to activate
-the configuration and expose the API at a URL that can be used for testing:
-
-```hcl
-resource "aws_api_gateway_deployment" "example" {
-  depends_on = [
-    "aws_api_gateway_integration.lambda",
-    "aws_api_gateway_integration.lambda_root",
-  ]
-
-  rest_api_id = "${aws_api_gateway_rest_api.example.id}"
-  stage_name  = "test"
-}
-```
-
-With all of the above configuration changes in place, run `terraform apply`
-again to create these new objects:
-
-```
-$ terraform apply
-
-# ...
-
-aws_api_gateway_rest_api.example: Creating...
-  created_date:     "" => "<computed>"
-  description:      "" => "Terraform Serverless Application Example"
-  name:             "" => "ServerlessExample"
-  root_resource_id: "" => "<computed>"
-aws_api_gateway_rest_api.example: Creation complete after 1s (ID: bkqhuuz8r8)
-
-# ...etc, etc...
-
-Apply complete! Resources: 5 added, 0 changed, 0 destroyed.
-```
-
-After the creation steps are complete, the new objects will be visible in
-[the API Gateway console](https://console.aws.amazon.com/apigateway/home?region=us-east-1).
-
-The integration with the Lambda function is not functional yet because
-API Gateway does not have the necessary access to invoke the function.
-The next step will address this, making the application fully-functional.
-
-## Allowing API Gateway to Access Lambda
-
-By default any two AWS services have no access to one another, until access
-is explicitly granted. For Lambda functions, access is granted using the
-`aws_lambda_permission` resource, which should be added to the `lambda.tf`
-file created in an earlier step:
-
-```hcl
-resource "aws_lambda_permission" "apigw" {
-  statement_id  = "AllowAPIGatewayInvoke"
-  action        = "lambda:InvokeFunction"
-  function_name = "${aws_lambda_function.example.function_name}"
-  principal     = "apigateway.amazonaws.com"
-
-  # The /*/* portion grants access from any method on any resource
-  # within the API Gateway "REST API".
-  source_arn = "${aws_api_gateway_rest_api.example.execution_arn}/*/*"
-}
-```
-
-In order to test the created API you will need to access its test URL. To
-make this easier to access, add the following output to `api_gateway.tf`:
-
-```
-output "base_url" {
-  value = "${aws_api_gateway_deployment.example.invoke_url}"
-}
-```
-
-Apply the latest changes with `terraform apply`:
-
-```
-$ terraform apply
-
-# ...
-
-aws_lambda_permission.apigw: Creating...
-  statement_id:  "" => "AllowAPIGatewayInvoke"
-  action:        "" => "lambda:InvokeFunction"
-  function_name: "" => "ServerlessExample"
-# ...
-aws_lambda_permission.apigw: Creation complete after 1s
-
-Apply complete! Resources: 1 added, 0 changed, 1 destroyed.
-
-Outputs:
-
-base_url = https://bkqhuuz8r8.execute-api.us-east-1.amazonaws.com/test
-```
-
-Load the URL given in the output from _your_ run in your favorite web browser.
-If everything has worked, you will see the text "Hello world!". This message
-is being returned from the Lambda function code uploaded earlier, via the
-API Gateway endpoint.
-
-This is a good milestone! The first version of the application is deployed and
-accessible. Next we will see how to deploy a new version of the application.
-
-## A New Version of the Lambda Function
-
-For any real application there will inevitably be changes to the application
-code over time, which must then be deployed to AWS Lambda in place of the
-previous version.
-
-Returning to the `example` directory containing the `main.js` from earlier,
-update the source code to change the message. For example:
-
-```js
-'use strict';
-
-exports.handler = function (event, context, callback) {
-    var response = {
-        statusCode: 200,
-        headers: {
-            'Content-Type': 'text/html; charset=utf-8',
-        },
-        body: "<p>Bonjour au monde!</p>",
-    };
-    callback(null, response);
-};
-```
-
-Update the zip file and upload a new version to the artifact S3 bucket:
-
-```
-$ cd example
-$ zip ../example.zip main.js
-updating: main.js (deflated 33%)
-$ cd ..
-$ aws s3 cp example.zip s3://terraform-serverless-example/v1.0.1/example.zip
-```
-
-Notice that a different version number was used in the S3 object path, so
-the previous archive is retained. In order to allow easy switching between
-versions you can define a variable to allow the version number to be chosen
-dynamically. Add the following to `lambda.tf`:
-
-```hcl
-variable "app_version" {
-}
-```
-
-Then locate the `aws_lambda_function` resource defined earlier and change
-its `s3_key` argument to include the version variable:
-
-```hcl
-resource "aws_lambda_function" "example" {
-  function_name = "ServerlessExample"
-
-  # The bucket name as created earlier with "aws s3api create-bucket"
-  s3_bucket = "terraform-serverless-example"
-  s3_key    = "v${var.app_version}/example.zip"
-
-  # (leave the remainder unchanged)
-}
-```
-
-The `terraform apply` command now requires a version number to be provided:
-
-```
-$ terraform apply -var="app_version=1.0.1"
-
-# ...
-
-Terraform will perform the following actions:
-
-  ~ aws_lambda_function.example
-      s3_key: "v1.0.0/example.zip" => "v1.0.1/example.zip"
-
-Plan: 0 to add, 1 to change, 0 to destroy.
-
-# ...
-```
-
-After the change has been applied, visit again the test URL and you should
-see the updated greeting message.
-
-## Rolling Back to an Older Version
-
-Sometimes new code doesn't work as expected and the simplest path is to
-return to the previous version. Because all of the historical versions of
-the artifact are preserved on S3, the original version can be restored with
-a single command:
-
-```
-$ terraform apply -var="app_version=1.0.0"
-```
-
-After this apply completes, the test URL will return the original message
-again.
-
-## Conclusion
-
-In this guide you created an AWS Lambda function that produces a result
-compatible with Amazon API Gateway _proxy resources_ and then configured
-API Gateway.
-
-Although the AWS Lambda function used in this guide is very simple, in more
-practical applications it is possible to use helper libraries to map
-API Gateway proxy requests to standard HTTP application APIs in various
-languages, such as [Python's WSGI](https://pypi.python.org/pypi/aws-wsgi/0.0.6)
-or [the NodeJS Express Framework](https://github.com/awslabs/aws-serverless-express).
-
-When combined with an automated build process running in a CI system, Terraform
-can help to deploy applications as AWS Lambda functions, with suitable IAM
-policies to connect with other AWS services for persistent storage, access to
-secrets, etc.
-
-## Cleaning Up
-
-Once you are finished with this guide, you can destroy the example objects
-with Terraform. Since our configuration requires a version number as an
-input variable, provide a placeholder value to destroy:
-
-```
-$ terraform destroy -var="app_version=0.0.0"
-```
-
-Since the artifact zip files and the S3 bucket itself were created
-outside of Terraform, they must also be cleaned up outside of Terraform. This
-can be done via [the S3 console](https://s3.console.aws.amazon.com/s3/home).
-Note that all of the objects in the bucket must be deleted before the bucket
-itself can be deleted.
-
-## Further Reading
-
-The following Terraform resource types are used in this tutorial:
-
-* [`aws_lambda_function`](/docs/providers/aws/r/lambda_function.html)
-* [`aws_lambda_permission`](/docs/providers/aws/r/lambda_permission.html)
-* [`aws_api_gateway_rest_api`](/docs/providers/aws/r/api_gateway_rest_api.html)
-* [`aws_api_gateway_resource`](/docs/providers/aws/r/api_gateway_resource.html)
-* [`aws_api_gateway_method`](/docs/providers/aws/r/api_gateway_method.html)
-* [`aws_api_gateway_integration`](/docs/providers/aws/r/api_gateway_integration.html)
-* [`aws_iam_role`](/docs/providers/aws/r/iam_role.html)
-
-The reference page for each resource type provides full details on all of its
-supported arguments and exported attributes.
-
-### Custom Domain Names and TLS Certificates
-
-For the sake of example, this guide uses the test URLs offered by default
-by API Gateway. In practice, most applications will be deployed at a custom
-hostname.
-
-To use a custom domain name you must first register that domain and configure
-DNS hosting for it. You must also either create an
-[Amazon Certificate Manager](https://aws.amazon.com/certificate-manager/)
-certificate or register a TLS certificate with a third-party certificate
-authority.
-
-Configuring the domain name is beyond the scope of this tutorial, but if
-you already have a hostname and TLS certificate you wish to use then you can
-register it with API Gateway using the
-[`aws_api_gateway_domain_name`](/docs/providers/aws/r/api_gateway_domain_name.html)
-resource type.
-
-A registered domain name is then mapped to a particular "REST API" object using
-[`aws_api_gateway_base_path_mapping`](/docs/providers/aws/r/api_gateway_base_path_mapping.html).
-The configured domain name then becomes an alias for a particular deployment
-stage.
-
-### Making Changes to the API Gateway Configuration
-
-This guide creates a very simple API Gateway Configuration with a single
-resource that passes through all requests to a single destination. The upgrade
-steps then modify only the AWS Lambda function, leaving the API Gateway
-configuration unchanged.
-
-Due to API Gateway's staged deployment model, if you _do_ need to make changes
-to the API Gateway configuration you must explicitly request that it be
-re-deployed by "tainting" the deployment resource:
-
-```
-$ terraform taint aws_api_gateway_deployment.example
-```
-
-This command flags that this object must be re-created in the next Terraform
-plan, so a subsequent `terraform apply` will then replace the deployment and
-thus activate the latest configuration changes.
-
-Please note that this "re-deployment" will cause some downtime, since Terraform
-will need to delete the stage and associated deployment before re-creating it.
-Downtime can be avoided by triggering the deployment action via the API Gateway
-console, outside of Terraform. The approach covered in this guide intentionally
-minimizes the need to amend the API Gateway configuration over time to
-mitigate this limitation. Better support for this workflow will be added
-to Terraform's AWS provider in a future release.
diff --git a/website/docs/r/api_gateway_rest_api.html.markdown b/website/docs/r/api_gateway_rest_api.html.markdown
index eeeb7486d424..da857979198a 100644
--- a/website/docs/r/api_gateway_rest_api.html.markdown
+++ b/website/docs/r/api_gateway_rest_api.html.markdown
@@ -43,7 +43,7 @@ The following arguments are supported:
 * `binary_media_types` - (Optional) The list of binary media types supported by the RestApi. By default, the RestApi supports only UTF-8-encoded text payloads.
 * `minimum_compression_size` - (Optional) Minimum response size to compress for the REST API. Integer between -1 and 10485760 (10MB). Setting a value greater than -1 will enable compression, -1 disables compression (default).
 * `body` - (Optional) An OpenAPI specification that defines the set of routes and integrations to create as part of the REST API.
-* `policy` - (Optional) JSON formatted policy document that controls access to the API Gateway. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html)
+* `policy` - (Optional) JSON formatted policy document that controls access to the API Gateway. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy)
 * `api_key_source` - (Optional) The source of the API key for requests. Valid values are HEADER (default) and AUTHORIZER.
 
 __Note__: If the `body` argument is provided, the OpenAPI specification will be used to configure the resources, methods and integrations for the Rest API. If this argument is provided, the following resources should not be managed as separate ones, as updates may cause manual resource updates to be overwritten:
diff --git a/website/docs/r/cloudwatch_metric_alarm.html.markdown b/website/docs/r/cloudwatch_metric_alarm.html.markdown
index 2313ad5888f0..9151a3c9d7db 100644
--- a/website/docs/r/cloudwatch_metric_alarm.html.markdown
+++ b/website/docs/r/cloudwatch_metric_alarm.html.markdown
@@ -109,6 +109,30 @@ resource "aws_cloudwatch_metric_alarm" "foobar" {
 }
 ```
 
+## Example of monitoring Healthy Hosts on NLB using Target Group and NLB
+
+```hcl
+resource "aws_cloudwatch_metric_alarm" "xxx_nlb_healthyhosts" {
+  alarm_name          = "alarmname"
+  comparison_operator = "LessThanThreshold"
+  evaluation_periods  = "1"
+  metric_name         = "HealthyHostCount"
+  namespace           = "AWS/NetworkELB"
+  period              = "60"
+  statistic           = "Average"
+  threshold           = var.logstash_servers_count
+  alarm_description   = "Number of XXXX nodes healthy in Target Group"
+  actions_enabled     = "true"
+  alarm_actions       = [aws_sns_topic.sns.arn]
+  ok_actions          = [aws_sns_topic.sns.arn]
+  dimensions = {
+    TargetGroup  = aws_lb_target_group.lb-tg.arn_suffix
+    LoadBalancer = aws_lb.lb.arn_suffix
+  }
+}
+
+```
+
 ~> **NOTE:**  You cannot create a metric alarm consisting of both `statistic` and `extended_statistic` parameters.
 You must choose one or the other
 
diff --git a/website/docs/r/codedeploy_deployment_group.html.markdown b/website/docs/r/codedeploy_deployment_group.html.markdown
index 802435c486c7..181d3ba41554 100644
--- a/website/docs/r/codedeploy_deployment_group.html.markdown
+++ b/website/docs/r/codedeploy_deployment_group.html.markdown
@@ -222,7 +222,7 @@ You can configure a deployment group to automatically rollback when a deployment
 * `enabled` - (Optional) Indicates whether a defined automatic rollback configuration is currently enabled for this Deployment Group. If you enable automatic rollback, you must specify at least one event type.
 * `events` - (Optional) The event type or types that trigger a rollback. Supported types are `DEPLOYMENT_FAILURE` and `DEPLOYMENT_STOP_ON_ALARM`.
 
-_Only one `auto_rollback_ configuration` is allowed_.
+_Only one `auto_rollback_configuration` is allowed_.
 
 ### blue_green_deployment_config Argument Reference
 
diff --git a/website/docs/r/ecr_lifecycle_policy.html.markdown b/website/docs/r/ecr_lifecycle_policy.html.markdown
index f760442d9c57..8d378c9e7aa1 100644
--- a/website/docs/r/ecr_lifecycle_policy.html.markdown
+++ b/website/docs/r/ecr_lifecycle_policy.html.markdown
@@ -85,7 +85,7 @@ EOF
 The following arguments are supported:
 
 * `repository` - (Required) Name of the repository to apply the policy.
-* `policy` - (Required) The policy document. This is a JSON formatted string. See more details about [Policy Parameters](http://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lifecycle_policy_parameters) in the official AWS docs. For more information about building IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Required) The policy document. This is a JSON formatted string. See more details about [Policy Parameters](http://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lifecycle_policy_parameters) in the official AWS docs. For more information about building IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 
 ## Attributes Reference
 
diff --git a/website/docs/r/ecr_repository_policy.html.markdown b/website/docs/r/ecr_repository_policy.html.markdown
index 523df7e01529..7852baca321a 100644
--- a/website/docs/r/ecr_repository_policy.html.markdown
+++ b/website/docs/r/ecr_repository_policy.html.markdown
@@ -58,7 +58,7 @@ EOF
 The following arguments are supported:
 
 * `repository` - (Required) Name of the repository to apply the policy.
-* `policy` - (Required) The policy document. This is a JSON formatted string. For more information about building IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html)
+* `policy` - (Required) The policy document. This is a JSON formatted string. For more information about building IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy)
 
 ## Attributes Reference
 
diff --git a/website/docs/r/iam_group_policy.html.markdown b/website/docs/r/iam_group_policy.html.markdown
index 691dcfade771..9843b37d3b8f 100644
--- a/website/docs/r/iam_group_policy.html.markdown
+++ b/website/docs/r/iam_group_policy.html.markdown
@@ -43,7 +43,7 @@ resource "aws_iam_group" "my_developers" {
 
 The following arguments are supported:
 
-* `policy` - (Required) The policy document. This is a JSON formatted string. For more information about building IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html)
+* `policy` - (Required) The policy document. This is a JSON formatted string. For more information about building IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy)
 * `name` - (Optional) The name of the policy. If omitted, Terraform will
 assign a random, unique name.
 * `name_prefix` - (Optional) Creates a unique name beginning with the specified
diff --git a/website/docs/r/iam_policy.html.markdown b/website/docs/r/iam_policy.html.markdown
index e5c621fceafe..cf1bdd393762 100644
--- a/website/docs/r/iam_policy.html.markdown
+++ b/website/docs/r/iam_policy.html.markdown
@@ -44,7 +44,7 @@ The following arguments are supported:
 * `name_prefix` - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with `name`.
 * `path` - (Optional, default "/") Path in which to create the policy.
   See [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) for more information.
-* `policy` - (Required) The policy document. This is a JSON formatted string. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html)
+* `policy` - (Required) The policy document. This is a JSON formatted string. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy)
 
 ## Attributes Reference
 
diff --git a/website/docs/r/iam_role_policy.html.markdown b/website/docs/r/iam_role_policy.html.markdown
index 339bae744166..d551d0f84047 100644
--- a/website/docs/r/iam_role_policy.html.markdown
+++ b/website/docs/r/iam_role_policy.html.markdown
@@ -62,7 +62,7 @@ The following arguments are supported:
 assign a random, unique name.
 * `name_prefix` - (Optional) Creates a unique name beginning with the specified
   prefix. Conflicts with `name`.
-* `policy` - (Required) The policy document. This is a JSON formatted string. For more information about building IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html)
+* `policy` - (Required) The policy document. This is a JSON formatted string. For more information about building IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy)
 * `role` - (Required) The IAM role to attach to the policy.
 
 ## Attributes Reference
diff --git a/website/docs/r/iam_user_policy.html.markdown b/website/docs/r/iam_user_policy.html.markdown
index 275a9d6cfab3..3ecf8d3ae15a 100644
--- a/website/docs/r/iam_user_policy.html.markdown
+++ b/website/docs/r/iam_user_policy.html.markdown
@@ -47,7 +47,7 @@ resource "aws_iam_access_key" "lb" {
 
 The following arguments are supported:
 
-* `policy` - (Required) The policy document. This is a JSON formatted string. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Required) The policy document. This is a JSON formatted string. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 * `name` - (Optional) The name of the policy. If omitted, Terraform will assign a random, unique name.
 * `name_prefix` - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with `name`.
 * `user` - (Required) IAM user to which to attach this policy.
diff --git a/website/docs/r/iot_policy.html.markdown b/website/docs/r/iot_policy.html.markdown
index c88d0f023dee..824b873f8fc0 100644
--- a/website/docs/r/iot_policy.html.markdown
+++ b/website/docs/r/iot_policy.html.markdown
@@ -38,7 +38,7 @@ EOF
 The following arguments are supported:
 
 * `name` - (Required) The name of the policy.
-* `policy` - (Required) The policy document. This is a JSON formatted string. Use the [IoT Developer Guide](http://docs.aws.amazon.com/iot/latest/developerguide/iot-policies.html) for more information on IoT Policies. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Required) The policy document. This is a JSON formatted string. Use the [IoT Developer Guide](http://docs.aws.amazon.com/iot/latest/developerguide/iot-policies.html) for more information on IoT Policies. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 
 ## Attributes Reference
 
diff --git a/website/docs/r/kms_key.html.markdown b/website/docs/r/kms_key.html.markdown
index 31e0db29c3a0..32aa469c8c0e 100644
--- a/website/docs/r/kms_key.html.markdown
+++ b/website/docs/r/kms_key.html.markdown
@@ -26,7 +26,7 @@ The following arguments are supported:
 * `description` - (Optional) The description of the key as viewed in AWS console.
 * `key_usage` - (Optional) Specifies the intended use of the key.
 	Defaults to ENCRYPT_DECRYPT, and only symmetric encryption and decryption are supported.
-* `policy` - (Optional) A valid policy JSON document. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Optional) A valid policy JSON document. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 * `deletion_window_in_days` - (Optional) Duration in days after which the key is deleted
 	after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
 * `is_enabled` - (Optional) Specifies whether the key is enabled. Defaults to true.
diff --git a/website/docs/r/lambda_function.html.markdown b/website/docs/r/lambda_function.html.markdown
index 8af55a4b3745..f62307eaa041 100644
--- a/website/docs/r/lambda_function.html.markdown
+++ b/website/docs/r/lambda_function.html.markdown
@@ -157,7 +157,7 @@ large files efficiently.
 * `publish` - (Optional) Whether to publish creation/change as new Lambda Function Version. Defaults to `false`.
 * `vpc_config` - (Optional) Provide this to allow your function to access your VPC. Fields documented below. See [Lambda in VPC][7]
 * `environment` - (Optional) The Lambda environment's configuration settings. Fields documented below.
-* `kms_key_arn` - (Optional) The ARN for the KMS encryption key.
+* `kms_key_arn` - (Optional) Amazon Resource Name (ARN) of the AWS Key Management Service (KMS) key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key. If this configuration is provided when environment variables are not in use, the AWS Lambda API does not save this configuration and Terraform will show a perpetual difference of adding the key. To fix the perpetual difference, remove this configuration.
 * `source_code_hash` - (Optional) Used to trigger updates. Must be set to a base64-encoded SHA256 hash of the package file specified with either `filename` or `s3_key`. The usual way to set this is `filebase64sha256("file.zip")` (Terraform 0.11.12 and later) or `base64sha256(file("file.zip"))` (Terraform 0.11.11 and earlier), where "file.zip" is the local filename of the lambda function source archive.
 * `tags` - (Optional) A mapping of tags to assign to the object.
 
diff --git a/website/docs/r/media_store_container_policy.html.markdown b/website/docs/r/media_store_container_policy.html.markdown
index e4309648727c..b1c5edc93210 100644
--- a/website/docs/r/media_store_container_policy.html.markdown
+++ b/website/docs/r/media_store_container_policy.html.markdown
@@ -47,7 +47,7 @@ EOF
 The following arguments are supported:
 
 * `container_name` - (Required) The name of the container.
-* `policy` - (Required) The contents of the policy. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Required) The contents of the policy. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 
 ## Import
 
diff --git a/website/docs/r/s3_bucket.html.markdown b/website/docs/r/s3_bucket.html.markdown
index 98a96ae44a3e..904e969f346c 100644
--- a/website/docs/r/s3_bucket.html.markdown
+++ b/website/docs/r/s3_bucket.html.markdown
@@ -316,7 +316,7 @@ The following arguments are supported:
 * `bucket` - (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name.
 * `bucket_prefix` - (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with `bucket`.
 * `acl` - (Optional) The [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply. Defaults to "private".
-* `policy` - (Optional) A valid [bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html) JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a `terraform plan`. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Optional) A valid [bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html) JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a `terraform plan`. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 
 * `tags` - (Optional) A mapping of tags to assign to the bucket.
 * `force_destroy` - (Optional, Default:`false`) A boolean that indicates all objects (including any [locked objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html)) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are *not* recoverable.
diff --git a/website/docs/r/s3_bucket_policy.html.markdown b/website/docs/r/s3_bucket_policy.html.markdown
index 24c3c9648bc6..57d8ebb99b7f 100644
--- a/website/docs/r/s3_bucket_policy.html.markdown
+++ b/website/docs/r/s3_bucket_policy.html.markdown
@@ -48,7 +48,7 @@ POLICY
 The following arguments are supported:
 
 * `bucket` - (Required) The name of the bucket to which to apply the policy.
-* `policy` - (Required) The text of the policy. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Required) The text of the policy. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 
 ## Import
 
diff --git a/website/docs/r/secretsmanager_secret.html.markdown b/website/docs/r/secretsmanager_secret.html.markdown
index 5afda510c698..dc3b2491f146 100644
--- a/website/docs/r/secretsmanager_secret.html.markdown
+++ b/website/docs/r/secretsmanager_secret.html.markdown
@@ -47,7 +47,7 @@ The following arguments are supported:
 * `name_prefix` - (Optional) Creates a unique name beginning with the specified prefix. Conflicts with `name`.
 * `description` - (Optional) A description of the secret.
 * `kms_key_id` - (Optional) Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default CMK (the one named `aws/secretsmanager`). If the default KMS CMK with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
-* `policy` - (Optional) A valid JSON document representing a [resource policy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html). For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Optional) A valid JSON document representing a [resource policy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html). For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 * `recovery_window_in_days` - (Optional) Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be `0` to force deletion without recovery or range from `7` to `30` days. The default value is `30`.
 * `rotation_lambda_arn` - (Optional) Specifies the ARN of the Lambda function that can rotate the secret.
 * `rotation_rules` - (Optional) A structure that defines the rotation configuration for this secret. Defined below.
diff --git a/website/docs/r/ses_identity_policy.html.markdown b/website/docs/r/ses_identity_policy.html.markdown
index a81cec198dc7..6a1a8970d6c3 100644
--- a/website/docs/r/ses_identity_policy.html.markdown
+++ b/website/docs/r/ses_identity_policy.html.markdown
@@ -42,7 +42,7 @@ The following arguments are supported:
 
 * `identity` - (Required) Name or Amazon Resource Name (ARN) of the SES Identity.
 * `name` - (Required) Name of the policy.
-* `policy` - (Required) JSON string of the policy. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Required) JSON string of the policy. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 
 ## Import
 
diff --git a/website/docs/r/sns_topic.html.markdown b/website/docs/r/sns_topic.html.markdown
index d09632434c2a..11e5b9fc52a7 100644
--- a/website/docs/r/sns_topic.html.markdown
+++ b/website/docs/r/sns_topic.html.markdown
@@ -65,7 +65,7 @@ The following arguments are supported:
 * `name` - (Optional) The friendly name for the SNS topic. By default generated by Terraform.
 * `name_prefix` - (Optional) The friendly name for the SNS topic. Conflicts with `name`.
 * `display_name` - (Optional) The display name for the SNS topic
-* `policy` - (Optional) The fully-formed AWS policy as JSON. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Optional) The fully-formed AWS policy as JSON. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 * `delivery_policy` - (Optional) The SNS delivery policy. More on [AWS documentation](https://docs.aws.amazon.com/sns/latest/dg/DeliveryPolicies.html)
 * `application_success_feedback_role_arn` - (Optional) The IAM role permitted to receive success feedback for this topic
 * `application_success_feedback_sample_rate` - (Optional) Percentage of success to sample
diff --git a/website/docs/r/sns_topic_policy.html.markdown b/website/docs/r/sns_topic_policy.html.markdown
index 60c5116fd97d..5d89567fdc25 100644
--- a/website/docs/r/sns_topic_policy.html.markdown
+++ b/website/docs/r/sns_topic_policy.html.markdown
@@ -71,7 +71,7 @@ data "aws_iam_policy_document" "sns-topic-policy" {
 The following arguments are supported:
 
 * `arn` - (Required) The ARN of the SNS topic
-* `policy` - (Required) The fully-formed AWS policy as JSON. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Required) The fully-formed AWS policy as JSON. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 
 ## Import
 
diff --git a/website/docs/r/sqs_queue.html.markdown b/website/docs/r/sqs_queue.html.markdown
index 26da29377c9c..04900a1a8001 100644
--- a/website/docs/r/sqs_queue.html.markdown
+++ b/website/docs/r/sqs_queue.html.markdown
@@ -56,7 +56,7 @@ The following arguments are supported:
 * `max_message_size` - (Optional) The limit of how many bytes a message can contain before Amazon SQS rejects it. An integer from 1024 bytes (1 KiB) up to 262144 bytes (256 KiB). The default for this attribute is 262144 (256 KiB).
 * `delay_seconds` - (Optional) The time in seconds that the delivery of all messages in the queue will be delayed. An integer from 0 to 900 (15 minutes). The default for this attribute is 0 seconds.
 * `receive_wait_time_seconds` - (Optional) The time for which a ReceiveMessage call will wait for a message to arrive (long polling) before returning. An integer from 0 to 20 (seconds). The default for this attribute is 0, meaning that the call will return immediately.
-* `policy` - (Optional) The JSON policy for the SQS queue. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Optional) The JSON policy for the SQS queue. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 * `redrive_policy` - (Optional) The JSON policy to set up the Dead Letter Queue, see [AWS docs](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSDeadLetterQueue.html). **Note:** when specifying `maxReceiveCount`, you must specify it as an integer (`5`), and not a string (`"5"`).
 * `fifo_queue` - (Optional) Boolean designating a FIFO queue. If not set, it defaults to `false` making it standard.
 * `content_based_deduplication` - (Optional) Enables content-based deduplication for FIFO queues. For more information, see the [related documentation](http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html#FIFO-queues-exactly-once-processing)
diff --git a/website/docs/r/sqs_queue_policy.html.markdown b/website/docs/r/sqs_queue_policy.html.markdown
index 0c96dda65201..12c322653dac 100644
--- a/website/docs/r/sqs_queue_policy.html.markdown
+++ b/website/docs/r/sqs_queue_policy.html.markdown
@@ -49,7 +49,7 @@ POLICY
 The following arguments are supported:
 
 * `queue_url` - (Required) The URL of the SQS Queue to which to attach the policy
-* `policy` - (Required) The JSON policy for the SQS queue. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Required) The JSON policy for the SQS queue. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 
 ## Import
 
diff --git a/website/docs/r/vpc_endpoint.html.markdown b/website/docs/r/vpc_endpoint.html.markdown
index 48abdcb14f52..16b9c3eb6176 100644
--- a/website/docs/r/vpc_endpoint.html.markdown
+++ b/website/docs/r/vpc_endpoint.html.markdown
@@ -97,7 +97,7 @@ The following arguments are supported:
 * `service_name` - (Required) The service name, in the form `com.amazonaws.region.service` for AWS services.
 * `vpc_id` - (Required) The ID of the VPC in which the endpoint will be used.
 * `auto_accept` - (Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
-* `policy` - (Optional) A policy to attach to the endpoint that controls access to the service. Defaults to full access. All `Gateway` and some `Interface` endpoints support policies - see the [relevant AWS documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html) for more details. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](/docs/providers/aws/guides/iam-policy-documents.html).
+* `policy` - (Optional) A policy to attach to the endpoint that controls access to the service. Defaults to full access. All `Gateway` and some `Interface` endpoints support policies - see the [relevant AWS documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html) for more details. For more information about building AWS IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy).
 * `private_dns_enabled` - (Optional; AWS services and AWS Marketplace partner services only) Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type `Interface`.
 Defaults to `false`.
 * `route_table_ids` - (Optional) One or more route table IDs. Applicable for endpoints of type `Gateway`.