chore(release): 2.217.0 #35572

aws-cdk-automation · 2025-09-25T09:00:19Z

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.216.0/CHANGELOG.md)

…ncluding matched files (#35511) ### Issue # (if applicable) Closes #9146 ### Reason for this change When bundling assets with `IgnoreMode.GIT`, files that should be included via negation patterns (like `!*.html`) are incorrectly excluded if they're inside directories that are also re-included by negation patterns. Here's an example - consider the following tree: ``` - index.html - app/ - component.js - index.html - home.html ``` If we use a `exclude` pattern of `['*', '!*.html', '!*/']`, the `index.html` in the root and both HTML files from the `app` folder should be included - the `app` folder shouldn't be excluded, due to the `!*/` pattern. Right now, only the `index.html` file in the root folder is included. ### Description of changes Similar to #22002, I've updated the `completelyIgnores` logic that's used to check if we need to skip a directory tree to include a trailing slash before verifying whether it's an ignored pattern. This makes it properly match directory-specific negation patterns like `!*/` by ensuring we're checking directory paths (with trailing slashes) against directory patterns. I've also updated the logic in `fingerprint` to check if we're ignoring directories or files, and call `completelyIgnores` or `ignores` accordingly. ### Describe any new or updated permissions being added None. ### Description of how you validated changes Added unit tests covering the described scenarios. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…35545) Because `IAlias` extends `IKey`, `IAlias` inherits the new `keyRef: KeyReference`. It was originally implemented by referencing the underlying key, but that's wrong: it should reference the alias itself, but using the field names it shares with `IKey`. In fact, we should have introduced a new interface like `IKeyLike` to do this job, but instead we overloaded `IKey` to behave like a hypothetical `IKeyLike`, and `IKeyRef` now inherits this double duty. Therefore, we now make the `IKeyRef` implementation of `Alias` behave like a `IKeyLikeRef`, and satisfy the contract using its own fields. Closes #35543 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The `IFunctionRef` implementation of `LatestVersion` returns the underlying function ARN, instead of the version's ARN. This is a similar situation and fix to #35545. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…35547) When copying the underlying `CfnFunction`'s implementation of `IFunctionRef`, the source of the `functionArn` value changed from a `{ GetAtt }` to a `{ Ref }`. Both expression return the same value, but if the ARN is exported to another stack, CloudFormation will reject any change to the expression under the assumption that `different expression ⇒ different value`, and that's not allowed. Override the implementation for the L2, returning the same expression as previously. Closes #35531 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…35193) ### Issue # (if applicable) Closes #35192 ### Reason for this change This change fixes an issue in DatabaseInstance.fromLookup() where port values aren't properly converted from strings to numbers. This causes validation errors when setting up access permissions using the connections interface, as CfnSecurityGroupIngressProps requires port values to be numbers, not strings. ### Description of changes Modified `instance.ts` in the `fromLookup` method to convert the port string to a number. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Add a unit test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Reason for this change https://aws.amazon.com/about-aws/whats-new/2025/09/generally-available-amazon-ec2-r8gn-instances/ ### Description of changes Add r8gn instance classes ### Description of how you validated changes ```console $ aws ec2 describe-instance-types | grep -e r8gn "InstanceType": "r8gn.12xlarge", "InstanceType": "r8gn.2xlarge", ... ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-accessanalyzer │ └ resources │ └[~] resource AWS::AccessAnalyzer::Analyzer │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:access-analyzer:${Region}:${Account}:analyzer/${AnalyzerName} ├[~] service aws-acmpca │ └ resources │ ├[~] resource AWS::ACMPCA::CertificateAuthority │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:acm-pca:${Region}:${Account}:certificate-authority/${CertificateAuthorityId} │ └[~] resource AWS::ACMPCA::Permission │ └ - documentation: Grants permissions to the AWS Certificate Manager ( ACM ) service principal ( `acm.amazonaws.com` ) to perform [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) , [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html) , and [ListPermissions](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListPermissions.html) actions on a CA. These actions are needed for the ACM principal to renew private PKI certificates requested through ACM and residing in the same AWS account as the CA. │ **About permissions** - If the private CA and the certificates it issues reside in the same account, you can use `AWS::ACMPCA::Permission` to grant permissions for ACM to carry out automatic certificate renewals. │ - For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve, and list permissions. │ - If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable cross-account issuance and renewals. For more information, see [Using a Resource Based Policy with AWS Private CA](https://docs.aws.amazon.com/privateca/latest/userguide/pca-rbp.html) . │ > To update an `AWS::ACMPCA::Permission` resource, you must first delete the existing permission resource from the CloudFormation stack and then create a new permission resource with updated properties. │ + documentation: Grants permissions to the Certificate Manager ( ACM ) service principal ( `acm.amazonaws.com` ) to perform [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) , [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html) , and [ListPermissions](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListPermissions.html) actions on a CA. These actions are needed for the ACM principal to renew private PKI certificates requested through ACM and residing in the same AWS account as the CA. │ **About permissions** - If the private CA and the certificates it issues reside in the same account, you can use `AWS::ACMPCA::Permission` to grant permissions for ACM to carry out automatic certificate renewals. │ - For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve, and list permissions. │ - If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable cross-account issuance and renewals. For more information, see [Using a Resource Based Policy with AWS Private CA](https://docs.aws.amazon.com/privateca/latest/userguide/pca-rbp.html) . │ > To update an `AWS::ACMPCA::Permission` resource, you must first delete the existing permission resource from the CloudFormation stack and then create a new permission resource with updated properties. ├[~] service aws-aiops │ └ resources │ └[~] resource AWS::AIOps::InvestigationGroup │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:aiops:${Region}:${Account}:investigation-group/${InvestigationGroupId} ├[~] service aws-amazonmq │ ├ resources │ │ ├[~] resource AWS::AmazonMQ::Broker │ │ │ ├ - arnTemplate: undefined │ │ │ │ + arnTemplate: arn:${Partition}:mq:${Region}:${Account}:broker:${BrokerName}:${BrokerId} │ │ │ └ metrics │ │ │ └[-] AWS/AmazonMQ • CpuCreditBalanceHeapUsage • Maximum │ │ └[~] resource AWS::AmazonMQ::Configuration │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:mq:${Region}:${Account}:configuration:${ConfigurationId} │ └ metrics │ └[-] AWS/AmazonMQ • CpuCreditBalanceHeapUsage • Maximum ├[~] service aws-amplify │ └ resources │ ├[~] resource AWS::Amplify::App │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:amplify:${Region}:${Account}:apps/${AppId} │ ├[~] resource AWS::Amplify::Branch │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:amplify:${Region}:${Account}:apps/${AppId}/branches/${BranchName} │ └[~] resource AWS::Amplify::Domain │ ├ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:amplify:${Region}:${Account}:apps/${AppId}/domains/${DomainName} │ └ types │ ├[~] type Certificate │ │ └ properties │ │ ├ CertificateArn: (documentation changed) │ │ └ CertificateType: (documentation changed) │ └[~] type CertificateSettings │ └ properties │ ├ CertificateType: (documentation changed) │ └ CustomCertificateArn: (documentation changed) ├[~] service aws-amplifyuibuilder │ └ resources │ ├[~] resource AWS::AmplifyUIBuilder::Component │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:amplifyuibuilder:${Region}:${Account}:app/${AppId}/environment/${EnvironmentName}/components/${Id} │ ├[~] resource AWS::AmplifyUIBuilder::Form │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:amplifyuibuilder:${Region}:${Account}:app/${AppId}/environment/${EnvironmentName}/forms/${Id} │ └[~] resource AWS::AmplifyUIBuilder::Theme │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:amplifyuibuilder:${Region}:${Account}:app/${AppId}/environment/${EnvironmentName}/themes/${Id} ├[~] service aws-apigateway │ └ resources │ ├[~] resource AWS::ApiGateway::Account │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/account/${ApiGatewayAccountId} │ ├[~] resource AWS::ApiGateway::ApiKey │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/apikeys/${ApiKeyId} │ ├[~] resource AWS::ApiGateway::Authorizer │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/authorizers/${AuthorizerId} │ ├[~] resource AWS::ApiGateway::BasePathMapping │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}/basepathmappings/${BasePath} │ ├[~] resource AWS::ApiGateway::ClientCertificate │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/clientcertificates/${ClientCertificateId} │ ├[~] resource AWS::ApiGateway::Deployment │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/deployments/${DeploymentId} │ ├[~] resource AWS::ApiGateway::DocumentationPart │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/documentation/parts/${DocumentationPartId} │ ├[~] resource AWS::ApiGateway::DocumentationVersion │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/documentation/versions/${DocumentationVersionId} │ ├[~] resource AWS::ApiGateway::DomainName │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName} │ │ └ properties │ │ ├ CertificateArn: (documentation changed) │ │ └ RegionalCertificateArn: (documentation changed) │ ├[~] resource AWS::ApiGateway::DomainNameAccessAssociation │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}:${Account}:/domainnameaccessassociations │ ├[~] resource AWS::ApiGateway::DomainNameV2 │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName} │ ├[~] resource AWS::ApiGateway::GatewayResponse │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/gatewayresponses/${ResponseType} │ ├[~] resource AWS::ApiGateway::Method │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId}/methods/${HttpMethodType} │ │ └ metrics │ │ ├[+] AWS/ApiGateway • 4XXError • Sum │ │ ├[+] AWS/ApiGateway • 5XXError • Sum │ │ ├[+] AWS/ApiGateway • CacheHitCount • Sum │ │ ├[+] AWS/ApiGateway • CacheMissCount • Sum │ │ ├[+] AWS/ApiGateway • Count • Sum │ │ ├[+] AWS/ApiGateway • IntegrationLatency • Average │ │ └[+] AWS/ApiGateway • Latency • Average │ ├[~] resource AWS::ApiGateway::Model │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/models/${ModelName} │ ├[~] resource AWS::ApiGateway::RequestValidator │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/requestvalidators/${RequestValidatorId} │ ├[~] resource AWS::ApiGateway::Resource │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId} │ ├[~] resource AWS::ApiGateway::RestApi │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId} │ ├[~] resource AWS::ApiGateway::Stage │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/stages/${StageName} │ ├[~] resource AWS::ApiGateway::UsagePlan │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/usageplans/${UsagePlanId} │ ├[~] resource AWS::ApiGateway::UsagePlanKey │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/usageplans/${UsagePlanId}/keys/${Id} │ └[~] resource AWS::ApiGateway::VpcLink │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/vpclinks/${VpcLinkId} ├[~] service aws-apigatewayv2 │ ├ resources │ │ ├[~] resource AWS::ApiGatewayV2::Api │ │ │ ├ - arnTemplate: undefined │ │ │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/apis/${ApiId} │ │ │ └ metrics │ │ │ ├[+] AWS/ApiGateway • 4xx • Sum │ │ │ ├[+] AWS/ApiGateway • 5xx • Sum │ │ │ ├[+] AWS/ApiGateway • ClientError • Sum │ │ │ ├[+] AWS/ApiGateway • ConnectCount • Sum │ │ │ ├[+] AWS/ApiGateway • Count • Sum │ │ │ ├[+] AWS/ApiGateway • DataProcessed • Sum │ │ │ ├[+] AWS/ApiGateway • ExecutionError • Sum │ │ │ ├[+] AWS/ApiGateway • IntegrationError • Sum │ │ │ ├[+] AWS/ApiGateway • IntegrationLatency • Average │ │ │ ├[+] AWS/ApiGateway • Latency • Average │ │ │ └[+] AWS/ApiGateway • MessageCount • Sum │ │ ├[~] resource AWS::ApiGatewayV2::ApiMapping │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}/apimappings/${ApiMappingId} │ │ ├[~] resource AWS::ApiGatewayV2::Authorizer │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/authorizers/${AuthorizerId} │ │ ├[~] resource AWS::ApiGatewayV2::Deployment │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/deployments/${DeploymentId} │ │ ├[~] resource AWS::ApiGatewayV2::DomainName │ │ │ └ types │ │ │ └[~] type DomainNameConfiguration │ │ │ └ properties │ │ │ └ OwnershipVerificationCertificateArn: (documentation changed) │ │ ├[~] resource AWS::ApiGatewayV2::Integration │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/integrations/${IntegrationId} │ │ ├[~] resource AWS::ApiGatewayV2::IntegrationResponse │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/integrations/${IntegrationId}/integrationresponses/${IntegrationResponseId} │ │ ├[~] resource AWS::ApiGatewayV2::Model │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/models/${ModelId} │ │ ├[~] resource AWS::ApiGatewayV2::Route │ │ │ ├ - arnTemplate: undefined │ │ │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/routes/${RouteId} │ │ │ └ metrics │ │ │ ├[+] AWS/ApiGateway • ClientError • Sum │ │ │ ├[+] AWS/ApiGateway • ConnectCount • Sum │ │ │ ├[+] AWS/ApiGateway • ExecutionError • Sum │ │ │ ├[+] AWS/ApiGateway • IntegrationError • Sum │ │ │ ├[+] AWS/ApiGateway • IntegrationLatency • Average │ │ │ └[+] AWS/ApiGateway • MessageCount • Sum │ │ ├[~] resource AWS::ApiGatewayV2::RouteResponse │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/routes/${RouteId}/routeresponses/${RouteResponseId} │ │ ├[~] resource AWS::ApiGatewayV2::RoutingRule │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}:${Account}:/domainnames/${DomainName}/routingrules/${RoutingRuleId} │ │ ├[~] resource AWS::ApiGatewayV2::Stage │ │ │ ├ - arnTemplate: undefined │ │ │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/stages/${StageName} │ │ │ └ metrics │ │ │ ├[+] AWS/ApiGateway • 4XXError • Sum │ │ │ ├[+] AWS/ApiGateway • 5XXError • Sum │ │ │ ├[+] AWS/ApiGateway • CacheHitCount • Sum │ │ │ ├[+] AWS/ApiGateway • CacheMissCount • Sum │ │ │ ├[+] AWS/ApiGateway • Count • Sum │ │ │ ├[+] AWS/ApiGateway • IntegrationLatency • Average │ │ │ └[+] AWS/ApiGateway • Latency • Average │ │ └[~] resource AWS::ApiGatewayV2::VpcLink │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/vpclinks/${VpcLinkId} │ └ metrics │ ├[+] AWS/ApiGateway • 4xx • Sum │ ├[+] AWS/ApiGateway • 4XXError • Sum │ ├[+] AWS/ApiGateway • 5xx • Sum │ ├[+] AWS/ApiGateway • 5XXError • Sum │ ├[+] AWS/ApiGateway • CacheHitCount • Sum │ ├[+] AWS/ApiGateway • CacheMissCount • Sum │ ├[+] AWS/ApiGateway • ClientError • Sum │ ├[+] AWS/ApiGateway • ConnectCount • Sum │ ├[+] AWS/ApiGateway • Count • Sum │ ├[+] AWS/ApiGateway • DataProcessed • Sum │ ├[+] AWS/ApiGateway • ExecutionError • Sum │ ├[+] AWS/ApiGateway • IntegrationError • Sum │ ├[+] AWS/ApiGateway • IntegrationLatency • Average │ ├[+] AWS/ApiGateway • Latency • Average │ └[+] AWS/ApiGateway • MessageCount • Sum ├[~] service aws-appconfig │ └ resources │ ├[~] resource AWS::AppConfig::Application │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId} │ ├[~] resource AWS::AppConfig::ConfigurationProfile │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/configurationprofile/${ConfigurationProfileId} │ ├[~] resource AWS::AppConfig::Deployment │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/environment/${EnvironmentId}/deployment/${DeploymentNumber} │ ├[~] resource AWS::AppConfig::DeploymentStrategy │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appconfig:${Region}:${Account}:deploymentstrategy/${DeploymentStrategyId} │ ├[~] resource AWS::AppConfig::Environment │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/environment/${EnvironmentId} │ ├[~] resource AWS::AppConfig::Extension │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appconfig:${Region}:${Account}:extension/${ExtensionId}/${ExtensionVersionNumber} │ ├[~] resource AWS::AppConfig::ExtensionAssociation │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appconfig:${Region}:${Account}:extensionassociation/${ExtensionAssociationId} │ └[~] resource AWS::AppConfig::HostedConfigurationVersion │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/configurationprofile/${ConfigurationProfileId}/hostedconfigurationversion/${VersionNumber} ├[~] service aws-appflow │ └ resources │ ├[~] resource AWS::AppFlow::Connector │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appflow:${Region}:${Account}:connector/${ConnectorLabel} │ ├[~] resource AWS::AppFlow::ConnectorProfile │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appflow:${Region}:${Account}:connectorprofile/${ProfileName} │ └[~] resource AWS::AppFlow::Flow │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:appflow:${Region}:${Account}:flow/${FlowName} ├[~] service aws-appintegrations │ └ resources │ ├[~] resource AWS::AppIntegrations::Application │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:app-integrations:${Region}:${Account}:application/${ApplicationId} │ ├[~] resource AWS::AppIntegrations::DataIntegration │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:app-integrations:${Region}:${Account}:data-integration/${DataIntegrationId} │ └[~] resource AWS::AppIntegrations::EventIntegration │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:app-integrations:${Region}:${Account}:event-integration/${EventIntegrationName} ├[~] service aws-applicationautoscaling │ └ resources │ └[~] resource AWS::ApplicationAutoScaling::ScalableTarget │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:application-autoscaling:${Region}:${Account}:scalable-target/${ResourceId} ├[~] service aws-applicationinsights │ └ resources │ └[~] resource AWS::ApplicationInsights::Application │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:applicationinsights:${Region}:${AccountId}:application/resource-group/${ResourceGroupName} ├[~] service aws-applicationsignals │ └ resources │ └[~] resource AWS::ApplicationSignals::ServiceLevelObjective │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:application-signals:${Region}:${Account}:slo/${SloName} ├[~] service aws-appmesh │ └ resources │ ├[~] resource AWS::AppMesh::GatewayRoute │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualGateway/${VirtualGatewayName}/gatewayRoute/${GatewayRouteName} │ ├[~] resource AWS::AppMesh::Mesh │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName} │ ├[~] resource AWS::AppMesh::Route │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualRouter/${VirtualRouterName}/route/${RouteName} │ ├[~] resource AWS::AppMesh::VirtualGateway │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualGateway/${VirtualGatewayName} │ │ └ types │ │ ├[~] type VirtualGatewayListenerTlsAcmCertificate │ │ │ └ - documentation: An object that represents an AWS Certificate Manager certificate. │ │ │ + documentation: An object that represents an Certificate Manager certificate. │ │ ├[~] type VirtualGatewayListenerTlsCertificate │ │ │ └ properties │ │ │ └ ACM: (documentation changed) │ │ ├[~] type VirtualGatewayTlsValidationContextAcmTrust │ │ │ └ - documentation: An object that represents a Transport Layer Security (TLS) validation context trust for an AWS Certificate Manager certificate. │ │ │ + documentation: An object that represents a Transport Layer Security (TLS) validation context trust for an Certificate Manager certificate. │ │ └[~] type VirtualGatewayTlsValidationContextTrust │ │ └ properties │ │ └ ACM: (documentation changed) │ ├[~] resource AWS::AppMesh::VirtualNode │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualNode/${VirtualNodeName} │ │ └ types │ │ ├[~] type ListenerTlsAcmCertificate │ │ │ └ - documentation: An object that represents an AWS Certificate Manager certificate. │ │ │ + documentation: An object that represents an Certificate Manager certificate. │ │ ├[~] type ListenerTlsCertificate │ │ │ └ properties │ │ │ └ ACM: (documentation changed) │ │ ├[~] type TlsValidationContextAcmTrust │ │ │ └ - documentation: An object that represents a Transport Layer Security (TLS) validation context trust for an AWS Certificate Manager certificate. │ │ │ + documentation: An object that represents a Transport Layer Security (TLS) validation context trust for an Certificate Manager certificate. │ │ └[~] type TlsValidationContextTrust │ │ └ properties │ │ └ ACM: (documentation changed) │ ├[~] resource AWS::AppMesh::VirtualRouter │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualRouter/${VirtualRouterName} │ └[~] resource AWS::AppMesh::VirtualService │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualService/${VirtualServiceName} ├[~] service aws-apprunner │ └ resources │ ├[~] resource AWS::AppRunner::AutoScalingConfiguration │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apprunner:${Region}:${Account}:autoscalingconfiguration/${AutoscalingConfigurationName}/${AutoscalingConfigurationVersion}/${AutoscalingConfigurationId} │ ├[~] resource AWS::AppRunner::ObservabilityConfiguration │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apprunner:${Region}:${Account}:observabilityconfiguration/${ObservabilityConfigurationName}/${ObservabilityConfigurationVersion}/${ObservabilityConfigurationId} │ ├[~] resource AWS::AppRunner::Service │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apprunner:${Region}:${Account}:service/${ServiceName}/${ServiceId} │ ├[~] resource AWS::AppRunner::VpcConnector │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:apprunner:${Region}:${Account}:vpcconnector/${VpcConnectorName}/${VpcConnectorVersion}/${VpcConnectorId} │ └[~] resource AWS::AppRunner::VpcIngressConnection │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:apprunner:${Region}:${Account}:vpcingressconnection/${VpcIngressConnectionName}/${VpcIngressConnectionId} ├[~] service aws-appstream │ └ resources │ ├[~] resource AWS::AppStream::AppBlock │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appstream:${Region}:${Account}:app-block/${AppBlockName} │ ├[~] resource AWS::AppStream::AppBlockBuilder │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appstream:${Region}:${Account}:app-block-builder/${AppBlockBuilderName} │ ├[~] resource AWS::AppStream::Application │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appstream:${Region}:${Account}:application/${ApplicationName} │ ├[~] resource AWS::AppStream::Fleet │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:appstream:${Region}:${Account}:fleet/${FleetName} │ │ └ properties │ │ └ InstanceType: (documentation changed) │ ├[~] resource AWS::AppStream::ImageBuilder │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:appstream:${Region}:${Account}:image-builder/${ImageBuilderName} │ │ └ properties │ │ └ InstanceType: (documentation changed) │ └[~] resource AWS::AppStream::Stack │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:appstream:${Region}:${Account}:stack/${StackName} ├[~] service aws-appsync │ └ resources │ ├[~] resource AWS::AppSync::Api │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appsync:${Region}:${Account}:apis/${ApiId} │ ├[~] resource AWS::AppSync::ChannelNamespace │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appsync:${Region}:${Account}:apis/${ApiId}/channelNamespace/${ChannelNamespaceName} │ ├[~] resource AWS::AppSync::DataSource │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/datasources/${DatasourceName} │ ├[~] resource AWS::AppSync::DomainName │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:appsync:${Region}:${Account}:domainnames/${DomainName} │ │ └ properties │ │ └ CertificateArn: (documentation changed) │ ├[~] resource AWS::AppSync::FunctionConfiguration │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/functions/${FunctionId} │ ├[~] resource AWS::AppSync::GraphQLApi │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId} │ └[~] resource AWS::AppSync::SourceApiAssociation │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:appsync:${Region}:${Account}:apis/${MergedGraphQLAPIId}/sourceApiAssociations/${Associationid} ├[~] service aws-apptest │ └ resources │ └[~] resource AWS::AppTest::TestCase │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:apptest:${Region}:${Account}:testcase/${TestCaseId} ├[~] service aws-aps │ └ resources │ ├[~] resource AWS::APS::RuleGroupsNamespace │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:aps:${Region}:${Account}:rulegroupsnamespace/${WorkspaceId}/${Namespace} │ ├[~] resource AWS::APS::Scraper │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:aps:${Region}:${Account}:scraper/${ScraperId} │ │ ├ properties │ │ │ └[+] ScraperLoggingConfiguration: ScraperLoggingConfiguration │ │ └ types │ │ ├[+] type CloudWatchLogDestination │ │ │ ├ documentation: Represents a cloudwatch logs destination for scraper logging │ │ │ │ name: CloudWatchLogDestination │ │ │ └ properties │ │ │ └ LogGroupArn: string │ │ ├[+] type ComponentConfig │ │ │ ├ documentation: Configuration settings for a scraper component. │ │ │ │ name: ComponentConfig │ │ │ └ properties │ │ │ └ Options: Map<string, string> │ │ ├[+] type ScraperComponent │ │ │ ├ documentation: A component of a Amazon Managed Service for Prometheus scraper that can be configured for logging. │ │ │ │ name: ScraperComponent │ │ │ └ properties │ │ │ ├ Type: string (required) │ │ │ └ Config: ComponentConfig │ │ ├[+] type ScraperLoggingConfiguration │ │ │ ├ documentation: Configuration for scraper logging │ │ │ │ name: ScraperLoggingConfiguration │ │ │ └ properties │ │ │ ├ ScraperComponents: Array<ScraperComponent> (required) │ │ │ └ LoggingDestination: ScraperLoggingDestination (required) │ │ └[+] type ScraperLoggingDestination │ │ ├ documentation: The destination where scraper logs are sent. │ │ │ name: ScraperLoggingDestination │ │ └ properties │ │ └ CloudWatchLogs: CloudWatchLogDestination │ └[~] resource AWS::APS::Workspace │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:aps:${Region}:${Account}:workspace/${WorkspaceId} ├[~] service aws-arcregionswitch │ └ resources │ └[~] resource AWS::ARCRegionSwitch::Plan │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:arc-region-switch:${Region}:${Account}:plan/${ResourceId} ├[~] service aws-athena │ └ resources │ ├[~] resource AWS::Athena::CapacityReservation │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:athena:${Region}:${Account}:capacity-reservation/${CapacityReservationName} │ ├[~] resource AWS::Athena::DataCatalog │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:athena:${Region}:${Account}:datacatalog/${DataCatalogName} │ └[~] resource AWS::Athena::WorkGroup │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:athena:${Region}:${Account}:workgroup/${WorkGroupName} ├[~] service aws-auditmanager │ └ resources │ └[~] resource AWS::AuditManager::Assessment │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:auditmanager:${Region}:${Account}:assessment/${AssessmentId} ├[~] service aws-autoscaling │ └ resources │ ├[~] resource AWS::AutoScaling::AutoScalingGroup │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:autoscaling:${Region}:${Account}:autoScalingGroup:${GroupId}:autoScalingGroupName/${GroupFriendlyName} │ └[~] resource AWS::AutoScaling::LaunchConfiguration │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:autoscaling:${Region}:${Account}:launchConfiguration:${Id}:launchConfigurationName/${LaunchConfigurationName} ├[~] service aws-b2bi │ └ resources │ ├[~] resource AWS::B2BI::Capability │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:b2bi:${Region}:${Account}:capability/${ResourceId} │ ├[~] resource AWS::B2BI::Partnership │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:b2bi:${Region}:${Account}:partnership/${ResourceId} │ ├[~] resource AWS::B2BI::Profile │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:b2bi:${Region}:${Account}:profile/${ResourceId} │ └[~] resource AWS::B2BI::Transformer │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:b2bi:${Region}:${Account}:transformer/${ResourceId} ├[~] service aws-backup │ └ resources │ ├[~] resource AWS::Backup::BackupPlan │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:backup:${Region}:${Account}:backup-plan:${BackupPlanId} │ ├[~] resource AWS::Backup::BackupVault │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:backup:${Region}:${Account}:backup-vault:${BackupVaultName} │ ├[~] resource AWS::Backup::Framework │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:backup:${Region}:${Account}:framework:${FrameworkName}-${FrameworkId} │ ├[~] resource AWS::Backup::ReportPlan │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:backup:${Region}:${Account}:report-plan:${ReportPlanName}-${ReportPlanId} │ └[~] resource AWS::Backup::RestoreTestingPlan │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:backup:${Region}:${Account}:restore-testing-plan:${RestoreTestingPlanName}-${RestoreTestingPlanId} ├[~] service aws-backupgateway │ └ resources │ └[~] resource AWS::BackupGateway::Hypervisor │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:backup-gateway:${Region}:${Account}:hypervisor/${HypervisorId} ├[~] service aws-batch │ └ resources │ ├[~] resource AWS::Batch::ComputeEnvironment │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:batch:${Region}:${Account}:compute-environment/${ComputeEnvironmentName} │ │ └ types │ │ └[~] type Ec2ConfigurationObject │ │ └ properties │ │ └ ImageType: (documentation changed) │ ├[~] resource AWS::Batch::ConsumableResource │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:batch:${Region}:${Account}:consumable-resource/${ConsumableResourceName} │ ├[~] resource AWS::Batch::JobDefinition │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:batch:${Region}:${Account}:job-definition/${JobDefinitionName} │ ├[~] resource AWS::Batch::JobQueue │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:batch:${Region}:${Account}:job-queue/${JobQueueName} │ ├[~] resource AWS::Batch::SchedulingPolicy │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:batch:${Region}:${Account}:scheduling-policy/${SchedulingPolicyName} │ └[~] resource AWS::Batch::ServiceEnvironment │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:batch:${Region}:${Account}:service-environment/${ServiceEnvironmentName} ├[~] service aws-bcmdataexports │ └ resources │ └[~] resource AWS::BCMDataExports::Export │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:bcm-data-exports:${Region}:${Account}:export/${Identifier} ├[~] service aws-bedrock │ ├ resources │ │ ├[~] resource AWS::Bedrock::Agent │ │ │ ├ - arnTemplate: undefined │ │ │ │ + arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:agent/${AgentId} │ │ │ └ metrics │ │ │ ├[+] AWS/Bedrock/Agents • InputTokenCount • Sum │ │ │ ├[+] AWS/Bedrock/Agents • InvocationClientErrors • Sum │ │ │ ├[+] AWS/Bedrock/Agents • InvocationCount • Sum │ │ │ ├[+] AWS/Bedrock/Agents • InvocationServerErrors • Sum │ │ │ ├[+] AWS/Bedrock/Agents • InvocationThrottles • Sum │ │ │ ├[+] AWS/Bedrock/Agents • ModelInvocationClientErrors • Sum │ │ │ ├[+] AWS/Bedrock/Agents • ModelInvocationCount • Sum │ │ │ ├[+] AWS/Bedrock/Agents • ModelInvocationServerErrors • Sum │ │ │ ├[+] AWS/Bedrock/Agents • ModelInvocationThrottles • Sum │ │ │ ├[+] AWS/Bedrock/Agents • ModelLatency • Average │ │ │ ├[+] AWS/Bedrock/Agents • OutputTokenCount • Sum │ │ │ └[+] AWS/Bedrock/Agents • TotalTime • Average │ │ ├[~] resource AWS::Bedrock::AgentAlias │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:agent-alias/${AgentId}/${AgentAliasId} │ │ ├[~] resource AWS::Bedrock::ApplicationInferenceProfile │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:application-inference-profile/${ResourceId} │ │ ├[~] resource AWS::Bedrock::AutomatedReasoningPolicy │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:automated-reasoning-policy/${AutomatedReasoningPolicyId} │ │ ├[~] resource AWS::Bedrock::AutomatedReasoningPolicyVersion │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:automated-reasoning-policy/${AutomatedReasoningPolicyId}:${AutomatedReasoningPolicyVersion} │ │ ├[~] resource AWS::Bedrock::Blueprint │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:blueprint/${BlueprintId} │ │ ├[~] resource AWS::Bedrock::DataAutomationProject │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:data-automation-project/${ProjectId} │ │ ├[~] resource AWS::Bedrock::Flow │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:flow/${FlowId} │ │ ├[~] resource AWS::Bedrock::FlowAlias │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:flow/${FlowId}/alias/${FlowAliasId} │ │ ├[~] resource AWS::Bedrock::Guardrail │ │ │ ├ - arnTemplate: undefined │ │ │ │ + arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:guardrail/${GuardrailId} │ │ │ ├ properties │ │ │ │ └[+] AutomatedReasoningPolicyConfig: AutomatedReasoningPolicyConfig │ │ │ ├ types │ │ │ │ └[+] type AutomatedReasoningPolicyConfig │ │ │ │ ├ documentation: Configuration settings for integrating Automated Reasoning policies with Amazon Bedrock Guardrails. │ │ │ │ │ name: AutomatedReasoningPolicyConfig │ │ │ │ └ properties │ │ │ │ ├ ConfidenceThreshold: number │ │ │ │ └ Policies: Array<string> (required) │ │ │ └ metrics │ │ │ ├[+] AWS/Bedrock/Guardrails • InvocationClientErrors • Sum │ │ │ ├[+] AWS/Bedrock/Guardrails • InvocationLatency • Average │ │ │ ├[+] AWS/Bedrock/Guardrails • Invocations • Sum │ │ │ ├[+] AWS/Bedrock/Guardrails • InvocationServerErrors • Sum │ │ │ ├[+] AWS/Bedrock/Guardrails • InvocationsIntervened • Sum │ │ │ ├[+] AWS/Bedrock/Guardrails • InvocationThrottles • Sum │ │ │ └[+] AWS/Bedrock/Guardrails • TextUnitCount • Sum │ │ ├[~] resource AWS::Bedrock::KnowledgeBase │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:knowledge-base/${KnowledgeBaseId} │ │ ├[~] resource AWS::Bedrock::Prompt │ │ │ └ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:prompt/${PromptId} │ │ └[~] resource AWS::Bedrock::PromptVersion │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:prompt/${PromptId}:${PromptVersion} │ └ metrics │ ├[+] AWS/Bedrock/Agents • InputTokenCount • Sum │ ├[+] AWS/Bedrock/Agents • InvocationClientErrors • Sum │ ├[+] AWS/Bedrock/Agents • InvocationCount • Sum │ ├[+] AWS/Bedrock/Agents • InvocationServerErrors • Sum │ ├[+] AWS/Bedrock/Agents • InvocationThrottles • Sum │ ├[+] AWS/Bedrock/Agents • ModelInvocationClientErrors • Sum │ ├[+] AWS/Bedrock/Agents • ModelInvocationCount • Sum │ ├[+] AWS/Bedrock/Agents • ModelInvocationServerErrors • Sum │ ├[+] AWS/Bedrock/Agents • ModelInvocationThrottles • Sum │ ├[+] AWS/Bedrock/Agents • ModelLatency • Average │ ├[+] AWS/Bedrock/Agents • OutputTokenCount • Sum │ ├[+] AWS/Bedrock/Agents • TotalTime • Average │ ├[+] AWS/Bedrock/Guardrails • InvocationClientErrors • Sum │ ├[+] AWS/Bedrock/Guardrails • InvocationLatency • Average │ ├[+] AWS/Bedrock/Guardrails • Invocations • Sum │ ├[+] AWS/Bedrock/Guardrails • InvocationServerErrors • Sum │ ├[+] AWS/Bedrock/Guardrails • InvocationsIntervened • Sum │ ├[+] AWS/Bedrock/Guardrails • InvocationThrottles • Sum │ └[+] AWS/Bedrock/Guardrails • TextUnitCount • Sum ├[~] service aws-billing │ └ resources │ └[~] resource AWS::Billing::BillingView │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:billing::${Account}:billingview/${ResourceId} ├[~] service aws-billingconductor │ └ resources │ ├[~] resource AWS::BillingConductor::BillingGroup │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:billingconductor::${Account}:billinggroup/${BillingGroupId} │ ├[~] resource AWS::BillingConductor::CustomLineItem │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:billingconductor::${Account}:customlineitem/${CustomLineItemId} │ ├[~] resource AWS::BillingConductor::PricingPlan │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:billingconductor::${Account}:pricingplan/${PricingPlanId} │ └[~] resource AWS::BillingConductor::PricingRule │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:billingconductor::${Account}:pricingrule/${PricingRuleId} ├[~] service aws-budgets │ └ resources │ ├[~] resource AWS::Budgets::Budget │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:budgets::${Account}:budget/${BudgetName} │ └[~] resource AWS::Budgets::BudgetsAction │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:budgets::${Account}:budget/${BudgetName}/action/${ActionId} ├[~] service aws-cassandra │ └ resources │ ├[~] resource AWS::Cassandra::Keyspace │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/${KeyspaceName}/ │ └[~] resource AWS::Cassandra::Table │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/${KeyspaceName}/table/${TableName} ├[~] service aws-ce │ └ resources │ ├[~] resource AWS::CE::AnomalyMonitor │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:ce::${Account}:anomalymonitor/${Identifier} │ ├[~] resource AWS::CE::AnomalySubscription │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:ce::${Account}:anomalysubscription/${Identifier} │ └[~] resource AWS::CE::CostCategory │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:ce::${Account}:costcategory/${Identifier} ├[~] service aws-certificatemanager │ └ resources │ └[~] resource AWS::CertificateManager::Certificate │ ├ - documentation: The `AWS::CertificateManager::Certificate` resource requests an AWS Certificate Manager ( ACM ) certificate that you can use to enable secure connections. For example, you can deploy an ACM certificate to an Elastic Load Balancer to enable HTTPS support. For more information, see [RequestCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html) in the AWS Certificate Manager API Reference. │ │ > When you use the `AWS::CertificateManager::Certificate` resource in a CloudFormation stack, domain validation is handled automatically if all three of the following are true: The certificate domain is hosted in Amazon Route 53, the domain resides in your AWS account , and you are using DNS validation. │ │ > │ │ > However, if the certificate uses email validation, or if the domain is not hosted in Route 53, then the stack will remain in the `CREATE_IN_PROGRESS` state. Further stack operations are delayed until you validate the certificate request, either by acting upon the instructions in the validation email, or by adding a CNAME record to your DNS configuration. For more information, see [Option 1: DNS Validation](https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html) and [Option 2: Email Validation](https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html) . │ │ + documentation: The `AWS::CertificateManager::Certificate` resource requests an Certificate Manager ( ACM ) certificate that you can use to enable secure connections. For example, you can deploy an ACM certificate to an Elastic Load Balancer to enable HTTPS support. For more information, see [RequestCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html) in the Certificate Manager API Reference. │ │ > When you use the `AWS::CertificateManager::Certificate` resource in a CloudFormation stack, domain validation is handled automatically if all three of the following are true: The certificate domain is hosted in Amazon Route 53, the domain resides in your AWS account , and you are using DNS validation. │ │ > │ │ > However, if the certificate uses email validation, or if the domain is not hosted in Route 53, then the stack will remain in the `CREATE_IN_PROGRESS` state. Further stack operations are delayed until you validate the certificate request, either by acting upon the instructions in the validation email, or by adding a CNAME record to your DNS configuration. For more information, see [Option 1: DNS Validation](https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html) and [Option 2: Email Validation](https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html) . │ │ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:acm:${Region}:${Account}:certificate/${CertificateId} │ ├ properties │ │ └ CertificateTransparencyLoggingPreference: (documentation changed) │ └ types │ └[~] type DomainValidationOption │ └ - documentation: `DomainValidationOption` is a property of the [AWS::CertificateManager::Certificate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html) resource that specifies the AWS Certificate Manager ( ACM ) certificate domain to validate. Depending on the chosen validation method, ACM checks the domain's DNS record for a validation CNAME, or it attempts to send a validation email message to the domain owner. │ + documentation: `DomainValidationOption` is a property of the [AWS::CertificateManager::Certificate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html) resource that specifies the Certificate Manager ( ACM ) certificate domain to validate. Depending on the chosen validation method, ACM checks the domain's DNS record for a validation CNAME, or it attempts to send a validation email message to the domain owner. ├[~] service aws-chatbot │ └ resources │ ├[~] resource AWS::Chatbot::CustomAction │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:chatbot::${Account}:custom-action/${ActionName} │ ├[~] resource AWS::Chatbot::MicrosoftTeamsChannelConfiguration │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:chatbot::${Account}:chat-configuration/${ConfigurationType}/${ChatbotConfigurationName} │ └[~] resource AWS::Chatbot::SlackChannelConfiguration │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:chatbot::${Account}:chat-configuration/slack-channel/${ConfigurationName} ├[~] service aws-cleanrooms │ └ resources │ ├[~] resource AWS::CleanRooms::AnalysisTemplate │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:cleanrooms:${Region}:${Account}:membership/${MembershipId}/analysistemplate/${AnalysisTemplateId} │ │ ├ properties │ │ │ └[+] ErrorMessageConfiguration: ErrorMessageConfiguration (immutable) │ │ └ types │ │ └[+] type ErrorMessageConfiguration │ │ ├ documentation: A structure that defines the level of detail included in error messages returned by PySpark jobs. This configuration allows you to control the verbosity of error messages to help with troubleshooting PySpark jobs while maintaining appropriate security controls. │ │ │ name: ErrorMessageConfiguration │ │ └ properties │ │ └ Type: string (required) │ ├[~] resource AWS::CleanRooms::Collaboration │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:cleanrooms:${Region}:${Account}:collaboration/${CollaborationId} │ │ └ properties │ │ └[+] AutoApprovedChangeTypes: Array<string> (immutable) │ ├[~] resource AWS::CleanRooms::ConfiguredTable │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cleanrooms:${Region}:${Account}:configuredtable/${ConfiguredTableId} │ ├[~] resource AWS::CleanRooms::ConfiguredTableAssociation │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cleanrooms:${Region}:${Account}:membership/${MembershipId}/configuredtableassociation/${ConfiguredTableAssociationId} │ ├[~] resource AWS::CleanRooms::IdMappingTable │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cleanrooms:${Region}:${Account}:membership/${MembershipId}/idmappingtable/${IdMappingTableId} │ ├[~] resource AWS::CleanRooms::IdNamespaceAssociation │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cleanrooms:${Region}:${Account}:membership/${MembershipId}/idnamespaceassociation/${IdNamespaceAssociationId} │ ├[~] resource AWS::CleanRooms::Membership │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cleanrooms:${Region}:${Account}:membership/${MembershipId} │ └[~] resource AWS::CleanRooms::PrivacyBudgetTemplate │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:cleanrooms:${Region}:${Account}:membership/${MembershipId}/privacybudgettemplate/${PrivacyBudgetTemplateId} ├[~] service aws-cleanroomsml │ └ resources │ └[~] resource AWS::CleanRoomsML::TrainingDataset │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:cleanrooms-ml:${Region}:${Account}:training-dataset/${ResourceId} ├[~] service aws-cloudformation │ └ resources │ ├[~] resource AWS::CloudFormation::GuardHook │ │ └ properties │ │ └ TargetFilters: (documentation changed) │ ├[~] resource AWS::CloudFormation::HookVersion │ │ └ properties │ │ └ TypeName: (documentation changed) │ ├[~] resource AWS::CloudFormation::Stack │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cloudformation:${Region}:${Account}:stack/${StackName}/${Id} │ ├[~] resource AWS::CloudFormation::StackSet │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cloudformation:${Region}:${Account}:stackset/${StackSetName}:${Id} │ └[~] resource AWS::CloudFormation::TypeActivation │ ├ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cloudformation:${Region}:${Account}:type/${TypeName}/${Id} │ ├ properties │ │ └ TypeNameAlias: (documentation changed) │ └ attributes │ └ Arn: (documentation changed) ├[~] service aws-cloudfront │ └ resources │ ├[~] resource AWS::CloudFront::AnycastIpList │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cloudfront::${Account}:anycast-ip-list/${Id} │ ├[~] resource AWS::CloudFront::CachePolicy │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cloudfront::${Account}:cache-policy/${Id} │ ├[~] resource AWS::CloudFront::CloudFrontOriginAccessIdentity │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cloudfront::${Account}:origin-access-identity/${Id} │ ├[~] resource AWS::CloudFront::ConnectionGroup │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cloudfront::${Account}:connection-group/${Id} │ ├[~] resource AWS::CloudFront::ContinuousDeploymentPolicy │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:cloudfront::${Account}:continuous-deployment-policy/${Id} │ ├[~] resource AWS::CloudFront::Distribution │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:cloudfront::${Account}:distribution/${DistributionId} │ │ └ types │ │ └[~] type ViewerCertificate │ │ ├ - documentation: A complex type that determines the distribution's SSL/TLS configuration for communicating with viewers. │ │ │ If the distribution doesn't use `Aliases` (also known as alternate domain names or CNAMEs)—that is, if the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` —set `CloudFrontDefaultCertificate` to `true` and leave all other fields empty. │ │ │ If the distribution uses `Aliases` (alternate domain names or CNAMEs), use the fields in this type to specify the following settings: │ │ │ - Which viewers the distribution accepts HTTPS connections from: only viewers that support [server name indication (SNI)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Server_Name_Indication) (recommended), or all viewers including those that don't support SNI. │ │ │ - To accept HTTPS connections from only viewers that support SNI, set `SSLSupportMethod` to `sni-only` . This is recommended. Most browsers and clients support SNI. (In CloudFormation, the field name is `SslSupportMethod` . Note the different capitalization.) │ │ │ - To accept HTTPS connections from all viewers, including those that don't support SNI, set `SSLSupportMethod` to `vip` . This is not recommended, and results in additional monthly charges from CloudFront. (In CloudFormation, the field name is `SslSupportMethod` . Note the different capitalization.) │ │ │ - The minimum SSL/TLS protocol version that the distribution can use to communicate with viewers. To specify a minimum version, choose a value for `MinimumProtocolVersion` . For more information, see [Security Policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy) in the *Amazon CloudFront Developer Guide* . │ │ │ - The location of the SSL/TLS certificate, [AWS Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html) (recommended) or [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html) . You specify the location by setting a value in one of the following fields (not both): │ │ │ - `ACMCertificateArn` (In CloudFormation, this field name is `AcmCertificateArn` . Note the different capitalization.) │ │ │ - `IAMCertificateId` (In CloudFormation, this field name is `IamCertificateId` . Note the different capitalization.) │ │ │ All distributions support HTTPS connections from viewers. To require viewers to use HTTPS only, or to redirect them from HTTP to HTTPS, use `ViewerProtocolPolicy` in the `CacheBehavior` or `DefaultCacheBehavior` . To specify how CloudFront should use SSL/TLS to communicate with your custom origin, use `CustomOriginConfig` . │ │ │ For more information, see [Using HTTPS with CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html) and [Using Alternate Domain Names and HTTPS](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-alternate-domain-names.html) in the *Amazon CloudFront Developer Guide* . │ │ │ + documentation: A complex type that determines the distribution's SSL/TLS configuration for communicating with viewers. │ │ │ If the distribution doesn't use `Aliases` (also known as alternate domain names or CNAMEs)—that is, if the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` —set `CloudFrontDefaultCertificate` to `true` and leave all other fields empty. │ │ │ If the distribution uses `Aliases` (alternate domain names or CNAMEs), use the fields in this type to specify the following settings: │ │ │ - Which viewers the distribution accepts HTTPS connections from: only viewers that support [server name indication (SNI)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Server_Name_Indication) (recommended), or all viewers including those that don't support SNI. │ │ │ - To accept HTTPS connections from only viewers that support SNI, set `SSLSupportMethod` to `sni-only` . This is recommended. Most browsers and clients support SNI. (In CloudFormation, the field name is `SslSupportMethod` . Note the different capitalization.) │ │ │ - To accept HTTPS connections from all viewers, including those that don't support SNI, set `SSLSupportMethod` to `vip` . This is not recommended, and results in additional monthly charges from CloudFront. (In CloudFormation, the field name is `SslSupportMethod` . Note the different capitalization.) │ │ │ - The minimum SSL/TLS protocol version that the distribution can use to communicate with viewers. To specify a minimum version, choose a value for `MinimumProtocolVersion` . For more information, see [Security Policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy) in the *Amazon CloudFront Developer Guide* . │ │ │ - The location of the SSL/TLS certificate, [Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html) (recommended) or [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html) . You specify the location by setting a value in one of the following fields (not both): │ │ │ - `ACMCertificateArn` (In CloudFormation, this field name is `AcmCertificateArn` . Note the different capitalization.) │ │ │ - `IAMCertificateId` (In CloudFormation, this field name is `IamCertificateId` . Note the different capitalization.) │ │ │ All distributions support HTTPS connections from viewers. To require viewers to use HTTPS only, or to redirect them from HTTP to HTTPS, use `ViewerProtocolPolicy` in the `CacheBehavior` or `DefaultCacheBehavior` . To specify how CloudFront should use SSL/TLS to communicate with your custom origin, use `CustomOriginConfig` . │ │ │ For more information, see [Using HTTPS with CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html) and [Using Alternate Domain Names and HTTPS](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-alternate-domain-names.html) in the *Amazon CloudFront Developer Guide* . │ │ └ properties │ │ └ AcmCertificateArn: (documentation changed) │ ├[~] resource AWS::CloudFront::DistributionTenant │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:cloudfront::${Account}:distribution-tenant/${Id} │ │ └ types │ │ ├[~] type Certificate │ │ │ └ - documentation: The AWS Certificate Manager (ACM) certificate associated with your distribution. │ │ │ + documentation: The Certificate Manager (ACM) certificate associated with your distribution. │ │ ├[~] type Customizations │ │ │ └ properties │ │ │ └ Certificate: (documentation changed) │ │ └[~] type ManagedCertificateRequest │ │ └ properties │ │ └ CertificateTransparencyLoggingPreference: (documentation changed) │ ├[…

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-apigateway │ └ resources │ └[~] resource AWS::ApiGateway::Method │ └ types │ └[~] type Integration │ └ properties │ └[+] ResponseTransferMode: string (default="BUFFERED") ├[+] service aws-bedrockagentcore │ ├ capitalized: BedrockAgentCore │ │ cloudFormationNamespace: AWS::BedrockAgentCore │ │ name: aws-bedrockagentcore │ │ shortName: bedrockagentcore │ └ resources │ ├ resource AWS::BedrockAgentCore::BrowserCustom │ │ ├ name: BrowserCustom │ │ │ cloudFormationType: AWS::BedrockAgentCore::BrowserCustom │ │ │ documentation: Resource definition for AWS::BedrockAgentCore::BrowserCustom │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ │ ├ properties │ │ │ ├ Name: string (required, immutable) │ │ │ ├ Description: string (immutable) │ │ │ ├ NetworkConfiguration: BrowserNetworkConfiguration (required, immutable) │ │ │ ├ RecordingConfig: RecordingConfig (immutable) │ │ │ ├ ExecutionRoleArn: string (immutable) │ │ │ └ Tags: Map<string, string> │ │ ├ attributes │ │ │ ├ BrowserId: string │ │ │ ├ BrowserArn: string │ │ │ ├ Status: string │ │ │ ├ CreatedAt: string │ │ │ └ LastUpdatedAt: string │ │ └ types │ │ ├ type BrowserNetworkConfiguration │ │ │ ├ documentation: Network configuration for browser │ │ │ │ name: BrowserNetworkConfiguration │ │ │ └ properties │ │ │ └ NetworkMode: string (required) │ │ ├ type RecordingConfig │ │ │ ├ documentation: Recording configuration for browser │ │ │ │ name: RecordingConfig │ │ │ └ properties │ │ │ ├ Enabled: boolean (default=false) │ │ │ └ S3Location: S3Location │ │ └ type S3Location │ │ ├ documentation: S3 Location Configuration │ │ │ name: S3Location │ │ └ properties │ │ ├ Bucket: string (required) │ │ └ Prefix: string (required) │ ├ resource AWS::BedrockAgentCore::CodeInterpreterCustom │ │ ├ name: CodeInterpreterCustom │ │ │ cloudFormationType: AWS::BedrockAgentCore::CodeInterpreterCustom │ │ │ documentation: Resource definition for AWS::BedrockAgentCore::CodeInterpreterCustom │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ │ ├ properties │ │ │ ├ Name: string (required, immutable) │ │ │ ├ Description: string (immutable) │ │ │ ├ ExecutionRoleArn: string (immutable) │ │ │ ├ NetworkConfiguration: CodeInterpreterNetworkConfiguration (required, immutable) │ │ │ └ Tags: Map<string, string> │ │ ├ attributes │ │ │ ├ CodeInterpreterId: string │ │ │ ├ CodeInterpreterArn: string │ │ │ ├ Status: string │ │ │ ├ CreatedAt: string │ │ │ └ LastUpdatedAt: string │ │ └ types │ │ └ type CodeInterpreterNetworkConfiguration │ │ ├ documentation: Network configuration for code interpreter │ │ │ name: CodeInterpreterNetworkConfiguration │ │ └ properties │ │ └ NetworkMode: string (required) │ ├ resource AWS::BedrockAgentCore::Runtime │ │ ├ name: Runtime │ │ │ cloudFormationType: AWS::BedrockAgentCore::Runtime │ │ │ documentation: Resource Type definition for AWS::BedrockAgentCore::Runtime │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ │ ├ properties │ │ │ ├ AgentRuntimeName: string (required, immutable) │ │ │ ├ Description: string │ │ │ ├ AgentRuntimeArtifact: AgentRuntimeArtifact (required) │ │ │ ├ RoleArn: string (required) │ │ │ ├ NetworkConfiguration: NetworkConfiguration (required) │ │ │ ├ ProtocolConfiguration: string │ │ │ ├ EnvironmentVariables: Map<string, string> │ │ │ ├ AuthorizerConfiguration: AuthorizerConfiguration │ │ │ └ Tags: Map<string, string> │ │ ├ attributes │ │ │ ├ AgentRuntimeArn: string │ │ │ ├ AgentRuntimeId: string │ │ │ ├ AgentRuntimeVersion: string │ │ │ ├ Status: string │ │ │ ├ CreatedAt: string │ │ │ ├ LastUpdatedAt: string │ │ │ └ WorkloadIdentityDetails: WorkloadIdentityDetails │ │ └ types │ │ ├ type AgentRuntimeArtifact │ │ │ ├ name: AgentRuntimeArtifact │ │ │ └ properties │ │ │ └ ContainerConfiguration: ContainerConfiguration │ │ ├ type AuthorizerConfiguration │ │ │ ├ documentation: Configuration for the authorizer │ │ │ │ name: AuthorizerConfiguration │ │ │ └ properties │ │ │ └ CustomJWTAuthorizer: CustomJWTAuthorizerConfiguration │ │ ├ type ContainerConfiguration │ │ │ ├ name: ContainerConfiguration │ │ │ └ properties │ │ │ └ ContainerUri: string (required) │ │ ├ type CustomJWTAuthorizerConfiguration │ │ │ ├ documentation: Configuration for custom JWT authorizer │ │ │ │ name: CustomJWTAuthorizerConfiguration │ │ │ └ properties │ │ │ ├ DiscoveryUrl: string (required) │ │ │ ├ AllowedAudience: Array<string> │ │ │ └ AllowedClients: Array<string> │ │ ├ type NetworkConfiguration │ │ │ ├ name: NetworkConfiguration │ │ │ └ properties │ │ │ └ NetworkMode: string (required) │ │ └ type WorkloadIdentityDetails │ │ ├ documentation: Configuration for workload identity │ │ │ name: WorkloadIdentityDetails │ │ └ properties │ │ └ WorkloadIdentityArn: string (required) │ └ resource AWS::BedrockAgentCore::RuntimeEndpoint │ ├ name: RuntimeEndpoint │ │ cloudFormationType: AWS::BedrockAgentCore::RuntimeEndpoint │ │ documentation: Resource definition for AWS::BedrockAgentCore::RuntimeEndpoint │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ ├ properties │ │ ├ AgentRuntimeId: string (required, immutable) │ │ ├ Name: string (required, immutable) │ │ ├ AgentRuntimeVersion: string (immutable) │ │ ├ Description: string │ │ └ Tags: Map<string, string> │ └ attributes │ ├ Id: string │ ├ AgentRuntimeEndpointArn: string │ ├ AgentRuntimeArn: string │ ├ Status: string │ ├ CreatedAt: string │ ├ LastUpdatedAt: string │ ├ FailureReason: string │ ├ TargetVersion: string │ └ LiveVersion: string ├[~] service aws-cur │ └ resources │ └[~] resource AWS::CUR::ReportDefinition │ ├ - tagInformation: undefined │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ └ properties │ └[+] Tags: Array<tag> ├[~] service aws-datasync │ └ resources │ └[~] resource AWS::DataSync::LocationSMB │ ├ properties │ │ ├[+] CmkSecretConfig: CmkSecretConfig │ │ └[+] CustomSecretConfig: CustomSecretConfig │ ├ attributes │ │ ├[+] CmkSecretConfig.SecretArn: string │ │ └[+] ManagedSecretConfig: ManagedSecretConfig │ └ types │ ├[+] type CmkSecretConfig │ │ ├ documentation: Specifies configuration information for a DataSync-managed secret, such as a password or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key. │ │ │ name: CmkSecretConfig │ │ └ properties │ │ ├ SecretArn: string │ │ └ KmsKeyArn: string │ ├[+] type CustomSecretConfig │ │ ├ documentation: Specifies configuration information for a customer-managed secret, such as a password or set of credentials that DataSync uses to access a specific transfer location, and an IAM role that DataSync can assume and access the customer-managed secret. │ │ │ name: CustomSecretConfig │ │ └ properties │ │ ├ SecretArn: string (required) │ │ └ SecretAccessRoleArn: string (required) │ └[+] type ManagedSecretConfig │ ├ documentation: Specifies configuration information for a DataSync-managed secret, such as a password or set of credentials that DataSync uses to access a specific transfer location. DataSync uses the default AWS-managed KMS key to encrypt this secret in AWS Secrets Manager. │ │ name: ManagedSecretConfig │ └ properties │ └ SecretArn: string (required) ├[~] service aws-datazone │ └ resources │ ├[+] resource AWS::DataZone::FormType │ │ ├ name: FormType │ │ │ cloudFormationType: AWS::DataZone::FormType │ │ │ documentation: Create and manage form types in Amazon Datazone │ │ ├ properties │ │ │ ├ DomainIdentifier: string (required, immutable) │ │ │ ├ Model: Model (required) │ │ │ ├ Description: string │ │ │ ├ Name: string (required, immutable) │ │ │ ├ OwningProjectIdentifier: string (required) │ │ │ └ Status: string │ │ ├ attributes │ │ │ ├ DomainId: string │ │ │ ├ OwningProjectId: string │ │ │ ├ Revision: string │ │ │ ├ FormTypeIdentifier: string │ │ │ ├ CreatedAt: string │ │ │ └ CreatedBy: string │ │ └ types │ │ └ type Model │ │ ├ documentation: Indicates the smithy model of the API. │ │ │ name: Model │ │ └ properties │ │ └ Smithy: string │ ├[~] resource AWS::DataZone::Owner │ │ └ attributes │ │ ├[+] OwnerIdentifier: string │ │ └[+] OwnerType: string │ └[~] resource AWS::DataZone::ProjectMembership │ └ attributes │ ├[+] MemberIdentifier: string │ └[+] MemberIdentifierType: string ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::NetworkInterfaceAttachment │ │ └ properties │ │ └ EnaQueueCount: (documentation changed) │ ├[~] resource AWS::EC2::VPC │ │ └ - documentation: Specifies a virtual private cloud (VPC). │ │ To add an IPv6 CIDR block to the VPC, see [AWS::EC2::VPCCidrBlock](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpccidrblock.html) . │ │ For more information, see [Virtual private clouds (VPC)](https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html) in the *Amazon VPC User Guide* . │ │ + documentation: Specifies a virtual private cloud (VPC). │ │ A VPC must have an associated IPv4 CIDR block. You can specify an IPv4 CIDR block or an IPAM-allocated IPv4 CIDR block. To associate an IPv6 CIDR block with the VPC, see [AWS::EC2::VPCCidrBlock](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpccidrblock.html) . │ │ For more information, see [Virtual private clouds (VPC)](https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html) in the *Amazon VPC User Guide* . │ └[~] resource AWS::EC2::VPCCidrBlock │ └ - documentation: Associates a CIDR block with your VPC. │ You can optionally request an IPv6 CIDR block for the VPC. You can request an Amazon-provided IPv6 CIDR block from Amazon's pool of IPv6 addresses, or an IPv6 CIDR block from an IPv6 address pool that you provisioned through bring your own IP addresses (BYOIP). │ For more information, see [VPC CIDR blocks](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html) in the *Amazon VPC User Guide* . │ + documentation: Associates a CIDR block with your VPC. │ A VPC must have an associated IPv4 CIDR block. You can optionally associate additional IPv4 CIDR blocks with a VPC. You can optionally associate an IPv6 CIDR block with a VPC. You can request an Amazon-provided IPv6 CIDR block from Amazon's pool of IPv6 addresses, or an IPv6 CIDR block from an IPv6 address pool that you provisioned through bring your own IP addresses (BYOIP). │ For more information, see [VPC CIDR blocks](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html) in the *Amazon VPC User Guide* . ├[~] service aws-gamelift │ └ resources │ ├[~] resource AWS::GameLift::ContainerFleet │ │ └ types │ │ └[~] type LocationCapacity │ │ └ properties │ │ └ DesiredEC2Instances: - integer (required) │ │ + integer │ │ (documentation changed) │ └[~] resource AWS::GameLift::Fleet │ └ types │ └[~] type LocationCapacity │ └ properties │ └ DesiredEC2Instances: - integer (required) │ + integer ├[~] service aws-lambda │ └ resources │ └[~] resource AWS::Lambda::Permission │ └ properties │ └[+] InvokedViaFunctionUrl: boolean (immutable) ├[~] service aws-medialive │ └ resources │ └[~] resource AWS::MediaLive::Channel │ └ types │ ├[+] type AdditionalDestinations │ │ ├ name: AdditionalDestinations │ │ └ properties │ │ └ Destination: OutputLocationRef │ ├[~] type BurnInDestinationSettings │ │ └ properties │ │ └[+] SubtitleRows: string │ ├[~] type CmafIngestGroupSettings │ │ └ properties │ │ └[+] AdditionalDestinations: Array<AdditionalDestinations> │ ├[~] type DvbSubDestinationSettings │ │ └ properties │ │ └[+] SubtitleRows: string │ └[~] type OutputSettings │ └ properties │ └ MediaPackageOutputSettings: - json ⇐ MediaPackageOutputSettings │ + MediaPackageOutputSettings ├[~] service aws-networkmanager │ └ resources │ ├[~] resource AWS::NetworkManager::ConnectAttachment │ │ └ attributes │ │ └[+] LastModificationErrors: Array<string> │ ├[~] resource AWS::NetworkManager::ConnectPeer │ │ └ attributes │ │ └ LastModificationErrors: (documentation changed) │ ├[~] resource AWS::NetworkManager::DirectConnectGatewayAttachment │ │ └ attributes │ │ └[+] LastModificationErrors: Array<string> │ ├[~] resource AWS::NetworkManager::SiteToSiteVpnAttachment │ │ └ attributes │ │ └[+] LastModificationErrors: Array<string> │ ├[~] resource AWS::NetworkManager::TransitGatewayPeering │ │ └ attributes │ │ └[+] LastModificationErrors: Array<string> │ ├[~] resource AWS::NetworkManager::TransitGatewayRouteTableAttachment │ │ └ attributes │ │ └[+] LastModificationErrors: Array<string> │ └[~] resource AWS::NetworkManager::VpcAttachment │ └ attributes │ └[+] LastModificationErrors: Array<string> ├[~] service aws-omics │ └ resources │ ├[~] resource AWS::Omics::Workflow │ │ ├ properties │ │ │ ├[+] ContainerRegistryMap: ContainerRegistryMap (immutable) │ │ │ └[+] ContainerRegistryMapUri: string (immutable) │ │ └ types │ │ ├[+] type ContainerRegistryMap │ │ │ ├ documentation: Use a container registry map to specify mappings between the ECR private repository and one or more upstream registries. For more information, see [Container images](https://docs.aws.amazon.com/omics/latest/dev/workflows-ecr.html) in the *AWS HealthOmics User Guide* . │ │ │ │ name: ContainerRegistryMap │ │ │ └ properties │ │ │ ├ RegistryMappings: Array<RegistryMapping> │ │ │ └ ImageMappings: Array<ImageMapping> │ │ ├[+] type ImageMapping │ │ │ ├ documentation: Specifies image mappings that workflow tasks can use. For example, you can replace all the task references of a public image to use an equivalent image in your private ECR repository. You can use image mappings with upstream registries that don't support pull through cache. You need to manually synchronize the upstream registry with your private repository. │ │ │ │ name: ImageMapping │ │ │ └ properties │ │ │ ├ SourceImage: string │ │ │ └ DestinationImage: string │ │ └[+] type RegistryMapping │ │ ├ documentation: If you are using the ECR pull through cache feature, the registry mapping maps between the ECR repository and the upstream registry where container images are pulled and synchronized. │ │ │ name: RegistryMapping │ │ └ properties │ │ ├ UpstreamRegistryUrl: string │ │ ├ EcrRepositoryPrefix: string │ │ ├ UpstreamRepositoryPrefix: string │ │ └ EcrAccountId: string │ └[~] resource AWS::Omics::WorkflowVersion │ ├ properties │ │ ├[+] ContainerRegistryMap: ContainerRegistryMap (immutable) │ │ └[+] ContainerRegistryMapUri: string (immutable) │ └ types │ ├[+] type ContainerRegistryMap │ │ ├ documentation: Use a container registry map to specify mappings between the ECR private repository and one or more upstream registries. For more information, see [Container images](https://docs.aws.amazon.com/omics/latest/dev/workflows-ecr.html) in the *AWS HealthOmics User Guide* . │ │ │ name: ContainerRegistryMap │ │ └ properties │ │ ├ RegistryMappings: Array<RegistryMapping> │ │ └ ImageMappings: Array<ImageMapping> │ ├[+] type ImageMapping │ │ ├ documentation: Specifies image mappings that workflow tasks can use. For example, you can replace all the task references of a public image to use an equivalent image in your private ECR repository. You can use image mappings with upstream registries that don't support pull through cache. You need to manually synchronize the upstream registry with your private repository. │ │ │ name: ImageMapping │ │ └ properties │ │ ├ SourceImage: string │ │ └ DestinationImage: string │ └[+] type RegistryMapping │ ├ documentation: If you are using the ECR pull through cache feature, the registry mapping maps between the ECR repository and the upstream registry where container images are pulled and synchronized. │ │ name: RegistryMapping │ └ properties │ ├ UpstreamRegistryUrl: string │ ├ EcrRepositoryPrefix: string │ ├ UpstreamRepositoryPrefix: string │ └ EcrAccountId: string ├[~] service aws-opensearchservice │ └ resources │ └[~] resource AWS::OpenSearchService::Domain │ └ types │ └[~] type AdvancedSecurityOptionsInput │ └ properties │ └ IAMFederationOptions: (documentation changed) ├[~] service aws-quicksight │ └ resources │ └[~] resource AWS::QuickSight::Dashboard │ └ types │ ├[~] type DashboardPublishOptions │ │ └ properties │ │ ├[+] DataStoriesSharingOption: DataStoriesSharingOption │ │ └[+] ExecutiveSummaryOption: ExecutiveSummaryOption │ ├[+] type DataStoriesSharingOption │ │ ├ documentation: Executive summary option. │ │ │ name: DataStoriesSharingOption │ │ └ properties │ │ └ AvailabilityStatus: string │ └[+] type ExecutiveSummaryOption │ ├ documentation: Data stories sharing option. │ │ name: ExecutiveSummaryOption │ └ properties │ └ AvailabilityStatus: string ├[~] service aws-rds │ └ resources │ ├[~] resource AWS::RDS::DBCluster │ │ └ properties │ │ └ MasterUserAuthenticationType: (documentation changed) │ ├[~] resource AWS::RDS::DBInstance │ │ └ properties │ │ └ MasterUserAuthenticationType: (documentation changed) │ ├[~] resource AWS::RDS::DBProxy │ │ └ properties │ │ ├ Auth: - Array<AuthFormat> (required) │ │ │ + Array<AuthFormat> │ │ ├[+] DefaultAuthScheme: string │ │ ├[+] EndpointNetworkType: string (immutable) │ │ └[+] TargetConnectionNetworkType: string (immutable) │ └[~] resource AWS::RDS::DBProxyEndpoint │ └ properties │ └[+] EndpointNetworkType: string (immutable) └[~] service aws-servicecatalog └ resources ├[~] resource AWS::ServiceCatalog::PortfolioPrincipalAssociation └[~] resource AWS::ServiceCatalog::PortfolioProductAssociation ```

…ryption (#35568) Reverts #35144 #35144 introduced a regression that removes support for cross account keys by only using the keyId instead of keyArn. This PR reverts that change. Closes [#35551](#35551)

github-actions · 2025-09-25T10:17:56Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

mergify bot and others added 11 commits September 22, 2025 13:30

chore(merge-back): 2.216.0 (#35548)

cf7ca17

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.216.0/CHANGELOG.md)

revert(dynamodb): use keyId instead of keyArn for TableV2 replica enc…

b1f7f78

…ryption (#35568) Reverts #35144 #35144 introduced a regression that removes support for cross account keys by only using the keyId instead of keyArn. This PR reverts that change. Closes [#35551](#35551)

chore(release): 2.217.0

9c356c9

aws-cdk-automation requested a review from a team as a code owner September 25, 2025 09:00

aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels Sep 25, 2025

github-actions bot added the p2 label Sep 25, 2025

github-actions bot approved these changes Sep 25, 2025

View reviewed changes

aws-cdk-automation requested a review from a team September 25, 2025 09:00

mergify bot added the contribution/core This is a PR that came from AWS. label Sep 25, 2025

chore: update analytics metadata blueprints

6ebe130

aemada-aws approved these changes Sep 25, 2025

View reviewed changes

aemada-aws merged commit 789bb11 into v2-release Sep 25, 2025
2 checks passed

aemada-aws deleted the bump/2.217.0 branch September 25, 2025 10:17

github-actions bot locked as resolved and limited conversation to collaborators Sep 25, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(release): 2.217.0 #35572

chore(release): 2.217.0 #35572

Uh oh!

aws-cdk-automation commented Sep 25, 2025 •

edited

Loading

Uh oh!

Uh oh!

github-actions bot commented Sep 25, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

chore(release): 2.217.0 #35572

chore(release): 2.217.0 #35572

Uh oh!

Conversation

aws-cdk-automation commented Sep 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

github-actions bot commented Sep 25, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

aws-cdk-automation commented Sep 25, 2025 •

edited

Loading