diff --git a/.changelog/1e73c687ad414040a5c2339a24e4a18c.json b/.changelog/1e73c687ad414040a5c2339a24e4a18c.json new file mode 100644 index 00000000000..19fda79e7cc --- /dev/null +++ b/.changelog/1e73c687ad414040a5c2339a24e4a18c.json @@ -0,0 +1,8 @@ +{ + "id": "1e73c687-ad41-4040-a5c2-339a24e4a18c", + "type": "feature", + "description": "Amazon Simple Storage Service / Features : Adds support for pagination in the S3 ListBuckets API.", + "modules": [ + "service/s3" + ] +} \ No newline at end of file diff --git a/.changelog/2d6ae283018c4117ba07f3be8d15f02f.json b/.changelog/2d6ae283018c4117ba07f3be8d15f02f.json new file mode 100644 index 00000000000..827c7741f7d --- /dev/null +++ b/.changelog/2d6ae283018c4117ba07f3be8d15f02f.json @@ -0,0 +1,8 @@ +{ + "id": "2d6ae283-018c-4117-ba07-f3be8d15f02f", + "type": "feature", + "description": "This release adds Global Cluster Failover capability which enables you to change your global cluster's primary AWS region, the region that serves writes, during a regional outage. Performing a failover action preserves your Global Cluster setup.", + "modules": [ + "service/docdb" + ] +} \ No newline at end of file diff --git a/.changelog/9eaba7a2b5764cb291676dceb32fde12.json b/.changelog/9eaba7a2b5764cb291676dceb32fde12.json new file mode 100644 index 00000000000..134aaf7c99f --- /dev/null +++ b/.changelog/9eaba7a2b5764cb291676dceb32fde12.json @@ -0,0 +1,8 @@ +{ + "id": "9eaba7a2-b576-4cb2-9167-6dceb32fde12", + "type": "feature", + "description": "Make the LastUsedDate field in the GetAccessKeyLastUsed response optional. This may break customers who only call the API for access keys with a valid LastUsedDate. This fixes a deserialization issue for access keys without a LastUsedDate, because the field was marked as required but could be null.", + "modules": [ + "service/iam" + ] +} \ No newline at end of file diff --git a/.changelog/e4c7660f372d4a0e9ce17c2e6b9b81ca.json b/.changelog/e4c7660f372d4a0e9ce17c2e6b9b81ca.json new file mode 100644 index 00000000000..13dd8e829f4 --- /dev/null +++ b/.changelog/e4c7660f372d4a0e9ce17c2e6b9b81ca.json @@ -0,0 +1,8 @@ +{ + "id": "e4c7660f-372d-4a0e-9ce1-7c2e6b9b81ca", + "type": "feature", + "description": "This release introduces a new ContainerDefinition configuration to support the customer-managed keys for ECS container restart feature.", + "modules": [ + "service/ecs" + ] +} \ No newline at end of file diff --git a/service/applicationinsights/internal/endpoints/endpoints.go b/service/applicationinsights/internal/endpoints/endpoints.go index 9f581a1acea..dbbbca25af3 100644 --- a/service/applicationinsights/internal/endpoints/endpoints.go +++ b/service/applicationinsights/internal/endpoints/endpoints.go @@ -169,6 +169,9 @@ var defaultPartitions = endpoints.Partitions{ endpoints.EndpointKey{ Region: "ap-southeast-3", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "ap-southeast-4", + }: endpoints.Endpoint{}, endpoints.EndpointKey{ Region: "ca-central-1", }: endpoints.Endpoint{}, @@ -196,6 +199,9 @@ var defaultPartitions = endpoints.Partitions{ endpoints.EndpointKey{ Region: "eu-west-3", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "il-central-1", + }: endpoints.Endpoint{}, endpoints.EndpointKey{ Region: "me-central-1", }: endpoints.Endpoint{}, diff --git a/service/datazone/internal/endpoints/endpoints.go b/service/datazone/internal/endpoints/endpoints.go index 243d3344fe7..2f39e6d32b3 100644 --- a/service/datazone/internal/endpoints/endpoints.go +++ b/service/datazone/internal/endpoints/endpoints.go @@ -139,16 +139,6 @@ var defaultPartitions = endpoints.Partitions{ RegionRegex: partitionRegexp.Aws, IsRegionalized: true, Endpoints: endpoints.Endpoints{ - endpoints.EndpointKey{ - Region: "af-south-1", - }: endpoints.Endpoint{ - Hostname: "datazone.af-south-1.api.aws", - }, - endpoints.EndpointKey{ - Region: "ap-east-1", - }: endpoints.Endpoint{ - Hostname: "datazone.ap-east-1.api.aws", - }, endpoints.EndpointKey{ Region: "ap-northeast-1", }: endpoints.Endpoint{ @@ -164,11 +154,6 @@ var defaultPartitions = endpoints.Partitions{ }: endpoints.Endpoint{ Hostname: "datazone.ap-northeast-3.api.aws", }, - endpoints.EndpointKey{ - Region: "ap-south-1", - }: endpoints.Endpoint{ - Hostname: "datazone.ap-south-1.api.aws", - }, endpoints.EndpointKey{ Region: "ap-south-2", }: endpoints.Endpoint{ @@ -215,11 +200,6 @@ var defaultPartitions = endpoints.Partitions{ }: endpoints.Endpoint{ Hostname: "datazone.eu-central-1.api.aws", }, - endpoints.EndpointKey{ - Region: "eu-central-2", - }: endpoints.Endpoint{ - Hostname: "datazone.eu-central-2.api.aws", - }, endpoints.EndpointKey{ Region: "eu-north-1", }: endpoints.Endpoint{ @@ -230,11 +210,6 @@ var defaultPartitions = endpoints.Partitions{ }: endpoints.Endpoint{ Hostname: "datazone.eu-south-1.api.aws", }, - endpoints.EndpointKey{ - Region: "eu-south-2", - }: endpoints.Endpoint{ - Hostname: "datazone.eu-south-2.api.aws", - }, endpoints.EndpointKey{ Region: "eu-west-1", }: endpoints.Endpoint{ diff --git a/service/docdb/api_op_FailoverGlobalCluster.go b/service/docdb/api_op_FailoverGlobalCluster.go new file mode 100644 index 00000000000..8f773fb3d93 --- /dev/null +++ b/service/docdb/api_op_FailoverGlobalCluster.go @@ -0,0 +1,194 @@ +// Code generated by smithy-go-codegen DO NOT EDIT. + +package docdb + +import ( + "context" + "fmt" + awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" + "github.com/aws/aws-sdk-go-v2/service/docdb/types" + "github.com/aws/smithy-go/middleware" + smithyhttp "github.com/aws/smithy-go/transport/http" +) + +// Promotes the specified secondary DB cluster to be the primary DB cluster in the +// global cluster when failing over a global cluster occurs. +// +// Use this operation to respond to an unplanned event, such as a regional +// disaster in the primary region. Failing over can result in a loss of write +// transaction data that wasn't replicated to the chosen secondary before the +// failover event occurred. However, the recovery process that promotes a DB +// instance on the chosen seconday DB cluster to be the primary writer DB instance +// guarantees that the data is in a transactionally consistent state. +func (c *Client) FailoverGlobalCluster(ctx context.Context, params *FailoverGlobalClusterInput, optFns ...func(*Options)) (*FailoverGlobalClusterOutput, error) { + if params == nil { + params = &FailoverGlobalClusterInput{} + } + + result, metadata, err := c.invokeOperation(ctx, "FailoverGlobalCluster", params, optFns, c.addOperationFailoverGlobalClusterMiddlewares) + if err != nil { + return nil, err + } + + out := result.(*FailoverGlobalClusterOutput) + out.ResultMetadata = metadata + return out, nil +} + +type FailoverGlobalClusterInput struct { + + // The identifier of the Amazon DocumentDB global cluster to apply this operation. + // The identifier is the unique key assigned by the user when the cluster is + // created. In other words, it's the name of the global cluster. + // + // Constraints: + // + // - Must match the identifier of an existing global cluster. + // + // - Minimum length of 1. Maximum length of 255. + // + // Pattern: [A-Za-z][0-9A-Za-z-:._]* + // + // This member is required. + GlobalClusterIdentifier *string + + // The identifier of the secondary Amazon DocumentDB cluster that you want to + // promote to the primary for the global cluster. Use the Amazon Resource Name + // (ARN) for the identifier so that Amazon DocumentDB can locate the cluster in its + // Amazon Web Services region. + // + // Constraints: + // + // - Must match the identifier of an existing secondary cluster. + // + // - Minimum length of 1. Maximum length of 255. + // + // Pattern: [A-Za-z][0-9A-Za-z-:._]* + // + // This member is required. + TargetDbClusterIdentifier *string + + // Specifies whether to allow data loss for this global cluster operation. + // Allowing data loss triggers a global failover operation. + // + // If you don't specify AllowDataLoss , the global cluster operation defaults to a + // switchover. + // + // Constraints: + // + // - Can't be specified together with the Switchover parameter. + AllowDataLoss *bool + + // Specifies whether to switch over this global database cluster. + // + // Constraints: + // + // - Can't be specified together with the AllowDataLoss parameter. + Switchover *bool + + noSmithyDocumentSerde +} + +type FailoverGlobalClusterOutput struct { + + // A data type representing an Amazon DocumentDB global cluster. + GlobalCluster *types.GlobalCluster + + // Metadata pertaining to the operation's result. + ResultMetadata middleware.Metadata + + noSmithyDocumentSerde +} + +func (c *Client) addOperationFailoverGlobalClusterMiddlewares(stack *middleware.Stack, options Options) (err error) { + if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil { + return err + } + err = stack.Serialize.Add(&awsAwsquery_serializeOpFailoverGlobalCluster{}, middleware.After) + if err != nil { + return err + } + err = stack.Deserialize.Add(&awsAwsquery_deserializeOpFailoverGlobalCluster{}, middleware.After) + if err != nil { + return err + } + if err := addProtocolFinalizerMiddlewares(stack, options, "FailoverGlobalCluster"); err != nil { + return fmt.Errorf("add protocol finalizers: %v", err) + } + + if err = addlegacyEndpointContextSetter(stack, options); err != nil { + return err + } + if err = addSetLoggerMiddleware(stack, options); err != nil { + return err + } + if err = addClientRequestID(stack); err != nil { + return err + } + if err = addComputeContentLength(stack); err != nil { + return err + } + if err = addResolveEndpointMiddleware(stack, options); err != nil { + return err + } + if err = addComputePayloadSHA256(stack); err != nil { + return err + } + if err = addRetry(stack, options); err != nil { + return err + } + if err = addRawResponseToMetadata(stack); err != nil { + return err + } + if err = addRecordResponseTiming(stack); err != nil { + return err + } + if err = addClientUserAgent(stack, options); err != nil { + return err + } + if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { + return err + } + if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { + return err + } + if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { + return err + } + if err = addTimeOffsetBuild(stack, c); err != nil { + return err + } + if err = addUserAgentRetryMode(stack, options); err != nil { + return err + } + if err = addOpFailoverGlobalClusterValidationMiddleware(stack); err != nil { + return err + } + if err = stack.Initialize.Add(newServiceMetadataMiddleware_opFailoverGlobalCluster(options.Region), middleware.Before); err != nil { + return err + } + if err = addRecursionDetection(stack); err != nil { + return err + } + if err = addRequestIDRetrieverMiddleware(stack); err != nil { + return err + } + if err = addResponseErrorMiddleware(stack); err != nil { + return err + } + if err = addRequestResponseLogging(stack, options); err != nil { + return err + } + if err = addDisableHTTPSMiddleware(stack, options); err != nil { + return err + } + return nil +} + +func newServiceMetadataMiddleware_opFailoverGlobalCluster(region string) *awsmiddleware.RegisterServiceMetadata { + return &awsmiddleware.RegisterServiceMetadata{ + Region: region, + ServiceID: ServiceID, + OperationName: "FailoverGlobalCluster", + } +} diff --git a/service/docdb/deserializers.go b/service/docdb/deserializers.go index 52e036724cf..d208160a19a 100644 --- a/service/docdb/deserializers.go +++ b/service/docdb/deserializers.go @@ -4028,6 +4028,123 @@ func awsAwsquery_deserializeOpErrorFailoverDBCluster(response *smithyhttp.Respon } } +type awsAwsquery_deserializeOpFailoverGlobalCluster struct { +} + +func (*awsAwsquery_deserializeOpFailoverGlobalCluster) ID() string { + return "OperationDeserializer" +} + +func (m *awsAwsquery_deserializeOpFailoverGlobalCluster) HandleDeserialize(ctx context.Context, in middleware.DeserializeInput, next middleware.DeserializeHandler) ( + out middleware.DeserializeOutput, metadata middleware.Metadata, err error, +) { + out, metadata, err = next.HandleDeserialize(ctx, in) + if err != nil { + return out, metadata, err + } + + response, ok := out.RawResponse.(*smithyhttp.Response) + if !ok { + return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)} + } + + if response.StatusCode < 200 || response.StatusCode >= 300 { + return out, metadata, awsAwsquery_deserializeOpErrorFailoverGlobalCluster(response, &metadata) + } + output := &FailoverGlobalClusterOutput{} + out.Result = output + + var buff [1024]byte + ringBuffer := smithyio.NewRingBuffer(buff[:]) + body := io.TeeReader(response.Body, ringBuffer) + rootDecoder := xml.NewDecoder(body) + t, err := smithyxml.FetchRootElement(rootDecoder) + if err == io.EOF { + return out, metadata, nil + } + if err != nil { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + return out, metadata, &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + } + + decoder := smithyxml.WrapNodeDecoder(rootDecoder, t) + t, err = decoder.GetElement("FailoverGlobalClusterResult") + if err != nil { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return out, metadata, err + } + + decoder = smithyxml.WrapNodeDecoder(decoder.Decoder, t) + err = awsAwsquery_deserializeOpDocumentFailoverGlobalClusterOutput(&output, decoder) + if err != nil { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return out, metadata, err + } + + return out, metadata, err +} + +func awsAwsquery_deserializeOpErrorFailoverGlobalCluster(response *smithyhttp.Response, metadata *middleware.Metadata) error { + var errorBuffer bytes.Buffer + if _, err := io.Copy(&errorBuffer, response.Body); err != nil { + return &smithy.DeserializationError{Err: fmt.Errorf("failed to copy error response body, %w", err)} + } + errorBody := bytes.NewReader(errorBuffer.Bytes()) + + errorCode := "UnknownError" + errorMessage := errorCode + + errorComponents, err := awsxml.GetErrorResponseComponents(errorBody, false) + if err != nil { + return err + } + if reqID := errorComponents.RequestID; len(reqID) != 0 { + awsmiddleware.SetRequestIDMetadata(metadata, reqID) + } + if len(errorComponents.Code) != 0 { + errorCode = errorComponents.Code + } + if len(errorComponents.Message) != 0 { + errorMessage = errorComponents.Message + } + errorBody.Seek(0, io.SeekStart) + switch { + case strings.EqualFold("DBClusterNotFoundFault", errorCode): + return awsAwsquery_deserializeErrorDBClusterNotFoundFault(response, errorBody) + + case strings.EqualFold("GlobalClusterNotFoundFault", errorCode): + return awsAwsquery_deserializeErrorGlobalClusterNotFoundFault(response, errorBody) + + case strings.EqualFold("InvalidDBClusterStateFault", errorCode): + return awsAwsquery_deserializeErrorInvalidDBClusterStateFault(response, errorBody) + + case strings.EqualFold("InvalidGlobalClusterStateFault", errorCode): + return awsAwsquery_deserializeErrorInvalidGlobalClusterStateFault(response, errorBody) + + default: + genericError := &smithy.GenericAPIError{ + Code: errorCode, + Message: errorMessage, + } + return genericError + + } +} + type awsAwsquery_deserializeOpListTagsForResource struct { } @@ -19204,6 +19321,48 @@ func awsAwsquery_deserializeOpDocumentFailoverDBClusterOutput(v **FailoverDBClus return nil } +func awsAwsquery_deserializeOpDocumentFailoverGlobalClusterOutput(v **FailoverGlobalClusterOutput, decoder smithyxml.NodeDecoder) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + var sv *FailoverGlobalClusterOutput + if *v == nil { + sv = &FailoverGlobalClusterOutput{} + } else { + sv = *v + } + + for { + t, done, err := decoder.Token() + if err != nil { + return err + } + if done { + break + } + originalDecoder := decoder + decoder = smithyxml.WrapNodeDecoder(originalDecoder.Decoder, t) + switch { + case strings.EqualFold("GlobalCluster", t.Name.Local): + nodeDecoder := smithyxml.WrapNodeDecoder(decoder.Decoder, t) + if err := awsAwsquery_deserializeDocumentGlobalCluster(&sv.GlobalCluster, nodeDecoder); err != nil { + return err + } + + default: + // Do nothing and ignore the unexpected tag element + err = decoder.Decoder.Skip() + if err != nil { + return err + } + + } + decoder = originalDecoder + } + *v = sv + return nil +} + func awsAwsquery_deserializeOpDocumentListTagsForResourceOutput(v **ListTagsForResourceOutput, decoder smithyxml.NodeDecoder) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) diff --git a/service/docdb/generated.json b/service/docdb/generated.json index 15dbbd79d69..63f7877f195 100644 --- a/service/docdb/generated.json +++ b/service/docdb/generated.json @@ -49,6 +49,7 @@ "api_op_DescribeOrderableDBInstanceOptions.go", "api_op_DescribePendingMaintenanceActions.go", "api_op_FailoverDBCluster.go", + "api_op_FailoverGlobalCluster.go", "api_op_ListTagsForResource.go", "api_op_ModifyDBCluster.go", "api_op_ModifyDBClusterParameterGroup.go", diff --git a/service/docdb/serializers.go b/service/docdb/serializers.go index c1a3d675b5f..209cb42b92e 100644 --- a/service/docdb/serializers.go +++ b/service/docdb/serializers.go @@ -2320,6 +2320,70 @@ func (m *awsAwsquery_serializeOpFailoverDBCluster) HandleSerialize(ctx context.C return next.HandleSerialize(ctx, in) } +type awsAwsquery_serializeOpFailoverGlobalCluster struct { +} + +func (*awsAwsquery_serializeOpFailoverGlobalCluster) ID() string { + return "OperationSerializer" +} + +func (m *awsAwsquery_serializeOpFailoverGlobalCluster) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) ( + out middleware.SerializeOutput, metadata middleware.Metadata, err error, +) { + request, ok := in.Request.(*smithyhttp.Request) + if !ok { + return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)} + } + + input, ok := in.Parameters.(*FailoverGlobalClusterInput) + _ = input + if !ok { + return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown input parameters type %T", in.Parameters)} + } + + operationPath := "/" + if len(request.Request.URL.Path) == 0 { + request.Request.URL.Path = operationPath + } else { + request.Request.URL.Path = path.Join(request.Request.URL.Path, operationPath) + if request.Request.URL.Path != "/" && operationPath[len(operationPath)-1] == '/' { + request.Request.URL.Path += "/" + } + } + request.Request.Method = "POST" + httpBindingEncoder, err := httpbinding.NewEncoder(request.URL.Path, request.URL.RawQuery, request.Header) + if err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + httpBindingEncoder.SetHeader("Content-Type").String("application/x-www-form-urlencoded") + + bodyWriter := bytes.NewBuffer(nil) + bodyEncoder := query.NewEncoder(bodyWriter) + body := bodyEncoder.Object() + body.Key("Action").String("FailoverGlobalCluster") + body.Key("Version").String("2014-10-31") + + if err := awsAwsquery_serializeOpDocumentFailoverGlobalClusterInput(input, bodyEncoder.Value); err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + + err = bodyEncoder.Encode() + if err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + + if request, err = request.SetStream(bytes.NewReader(bodyWriter.Bytes())); err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + + if request.Request, err = httpBindingEncoder.Encode(request.Request); err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + in.Request = request + + return next.HandleSerialize(ctx, in) +} + type awsAwsquery_serializeOpListTagsForResource struct { } @@ -4860,6 +4924,33 @@ func awsAwsquery_serializeOpDocumentFailoverDBClusterInput(v *FailoverDBClusterI return nil } +func awsAwsquery_serializeOpDocumentFailoverGlobalClusterInput(v *FailoverGlobalClusterInput, value query.Value) error { + object := value.Object() + _ = object + + if v.AllowDataLoss != nil { + objectKey := object.Key("AllowDataLoss") + objectKey.Boolean(*v.AllowDataLoss) + } + + if v.GlobalClusterIdentifier != nil { + objectKey := object.Key("GlobalClusterIdentifier") + objectKey.String(*v.GlobalClusterIdentifier) + } + + if v.Switchover != nil { + objectKey := object.Key("Switchover") + objectKey.Boolean(*v.Switchover) + } + + if v.TargetDbClusterIdentifier != nil { + objectKey := object.Key("TargetDbClusterIdentifier") + objectKey.String(*v.TargetDbClusterIdentifier) + } + + return nil +} + func awsAwsquery_serializeOpDocumentListTagsForResourceInput(v *ListTagsForResourceInput, value query.Value) error { object := value.Object() _ = object diff --git a/service/docdb/snapshot/api_op_FailoverGlobalCluster.go.snap b/service/docdb/snapshot/api_op_FailoverGlobalCluster.go.snap new file mode 100644 index 00000000000..7a4da9833bf --- /dev/null +++ b/service/docdb/snapshot/api_op_FailoverGlobalCluster.go.snap @@ -0,0 +1,36 @@ +FailoverGlobalCluster + Initialize stack step + RegisterServiceMetadata + legacyEndpointContextSetter + SetLogger + OperationInputValidation + Serialize stack step + setOperationInput + ResolveEndpoint + OperationSerializer + Build stack step + ClientRequestID + ComputeContentLength + UserAgent + AddTimeOffsetMiddleware + RecursionDetection + Finalize stack step + ResolveAuthScheme + GetIdentity + ResolveEndpointV2 + disableHTTPS + ComputePayloadHash + Retry + RetryMetricsHeader + setLegacyContextSigningOptions + Signing + Deserialize stack step + AddRawResponseToMetadata + ErrorCloseResponseBody + CloseResponseBody + ResponseErrorWrapper + RequestIDRetriever + OperationDeserializer + AddTimeOffsetMiddleware + RecordResponseTiming + RequestResponseLogger diff --git a/service/docdb/snapshot_test.go b/service/docdb/snapshot_test.go index 7ee9b104a1f..c78a3850bd1 100644 --- a/service/docdb/snapshot_test.go +++ b/service/docdb/snapshot_test.go @@ -494,6 +494,18 @@ func TestCheckSnapshot_FailoverDBCluster(t *testing.T) { } } +func TestCheckSnapshot_FailoverGlobalCluster(t *testing.T) { + svc := New(Options{}) + _, err := svc.FailoverGlobalCluster(context.Background(), nil, func(o *Options) { + o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error { + return testSnapshot(stack, "FailoverGlobalCluster") + }) + }) + if _, ok := err.(snapshotOK); !ok && err != nil { + t.Fatal(err) + } +} + func TestCheckSnapshot_ListTagsForResource(t *testing.T) { svc := New(Options{}) _, err := svc.ListTagsForResource(context.Background(), nil, func(o *Options) { @@ -1141,6 +1153,18 @@ func TestUpdateSnapshot_FailoverDBCluster(t *testing.T) { } } +func TestUpdateSnapshot_FailoverGlobalCluster(t *testing.T) { + svc := New(Options{}) + _, err := svc.FailoverGlobalCluster(context.Background(), nil, func(o *Options) { + o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error { + return updateSnapshot(stack, "FailoverGlobalCluster") + }) + }) + if _, ok := err.(snapshotOK); !ok && err != nil { + t.Fatal(err) + } +} + func TestUpdateSnapshot_ListTagsForResource(t *testing.T) { svc := New(Options{}) _, err := svc.ListTagsForResource(context.Background(), nil, func(o *Options) { diff --git a/service/docdb/validators.go b/service/docdb/validators.go index 7cf10c3c8d5..d4adb09b315 100644 --- a/service/docdb/validators.go +++ b/service/docdb/validators.go @@ -710,6 +710,26 @@ func (m *validateOpDescribePendingMaintenanceActions) HandleInitialize(ctx conte return next.HandleInitialize(ctx, in) } +type validateOpFailoverGlobalCluster struct { +} + +func (*validateOpFailoverGlobalCluster) ID() string { + return "OperationInputValidation" +} + +func (m *validateOpFailoverGlobalCluster) HandleInitialize(ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler) ( + out middleware.InitializeOutput, metadata middleware.Metadata, err error, +) { + input, ok := in.Parameters.(*FailoverGlobalClusterInput) + if !ok { + return out, metadata, fmt.Errorf("unknown input parameters type %T", in.Parameters) + } + if err := validateOpFailoverGlobalClusterInput(input); err != nil { + return out, metadata, err + } + return next.HandleInitialize(ctx, in) +} + type validateOpListTagsForResource struct { } @@ -1210,6 +1230,10 @@ func addOpDescribePendingMaintenanceActionsValidationMiddleware(stack *middlewar return stack.Initialize.Add(&validateOpDescribePendingMaintenanceActions{}, middleware.After) } +func addOpFailoverGlobalClusterValidationMiddleware(stack *middleware.Stack) error { + return stack.Initialize.Add(&validateOpFailoverGlobalCluster{}, middleware.After) +} + func addOpListTagsForResourceValidationMiddleware(stack *middleware.Stack) error { return stack.Initialize.Add(&validateOpListTagsForResource{}, middleware.After) } @@ -1932,6 +1956,24 @@ func validateOpDescribePendingMaintenanceActionsInput(v *DescribePendingMaintena } } +func validateOpFailoverGlobalClusterInput(v *FailoverGlobalClusterInput) error { + if v == nil { + return nil + } + invalidParams := smithy.InvalidParamsError{Context: "FailoverGlobalClusterInput"} + if v.GlobalClusterIdentifier == nil { + invalidParams.Add(smithy.NewErrParamRequired("GlobalClusterIdentifier")) + } + if v.TargetDbClusterIdentifier == nil { + invalidParams.Add(smithy.NewErrParamRequired("TargetDbClusterIdentifier")) + } + if invalidParams.Len() > 0 { + return invalidParams + } else { + return nil + } +} + func validateOpListTagsForResourceInput(v *ListTagsForResourceInput) error { if v == nil { return nil diff --git a/service/ecs/api_op_CreateTaskSet.go b/service/ecs/api_op_CreateTaskSet.go index 1719591a74c..689d488dd60 100644 --- a/service/ecs/api_op_CreateTaskSet.go +++ b/service/ecs/api_op_CreateTaskSet.go @@ -19,8 +19,8 @@ import ( // before authorization. When a task definition revision is not specified, // authorization will occur using the latest revision of a task definition. // -// For information about the maximum number of task sets and otther quotas, see [Amazon ECS service quotas] -// in the Amazon Elastic Container Service Developer Guide. +// For information about the maximum number of task sets and other quotas, see [Amazon ECS service quotas] in +// the Amazon Elastic Container Service Developer Guide. // // [Amazon ECS deployment types]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html // [Amazon ECS service quotas]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-quotas.html diff --git a/service/ecs/api_op_RegisterTaskDefinition.go b/service/ecs/api_op_RegisterTaskDefinition.go index ba2ec831029..94cec427c36 100644 --- a/service/ecs/api_op_RegisterTaskDefinition.go +++ b/service/ecs/api_op_RegisterTaskDefinition.go @@ -24,17 +24,14 @@ import ( // information, see [IAM Roles for Tasks]in the Amazon Elastic Container Service Developer Guide. // // You can specify a Docker networking mode for the containers in your task -// definition with the networkMode parameter. The available network modes -// correspond to those described in [Network settings]in the Docker run reference. If you specify -// the awsvpc network mode, the task is allocated an elastic network interface, -// and you must specify a NetworkConfigurationwhen you create a service or run a task with the task -// definition. For more information, see [Task Networking]in the Amazon Elastic Container Service -// Developer Guide. +// definition with the networkMode parameter. If you specify the awsvpc network +// mode, the task is allocated an elastic network interface, and you must specify a +// NetworkConfigurationwhen you create a service or run a task with the task definition. For more +// information, see [Task Networking]in the Amazon Elastic Container Service Developer Guide. // // [Amazon ECS Task Definitions]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_defintions.html // [Task Networking]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html // [IAM Roles for Tasks]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html -// [Network settings]: https://docs.docker.com/engine/reference/run/#/network-settings func (c *Client) RegisterTaskDefinition(ctx context.Context, params *RegisterTaskDefinitionInput, optFns ...func(*Options)) (*RegisterTaskDefinitionOutput, error) { if params == nil { params = &RegisterTaskDefinitionInput{} @@ -126,11 +123,10 @@ type RegisterTaskDefinitionInput struct { // The Amazon Resource Name (ARN) of the task execution role that grants the // Amazon ECS container agent permission to make Amazon Web Services API calls on - // your behalf. The task execution IAM role is required depending on the - // requirements of your task. For more information, see [Amazon ECS task execution IAM role]in the Amazon Elastic - // Container Service Developer Guide. + // your behalf. For informationabout the required IAM roles for Amazon ECS, see [IAM roles for Amazon ECS]in + // the Amazon Elastic Container Service Developer Guide. // - // [Amazon ECS task execution IAM role]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html + // [IAM roles for Amazon ECS]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-ecs-iam-role-overview.html ExecutionRoleArn *string // The Elastic Inference accelerators to use for the containers in the task. @@ -144,11 +140,10 @@ type RegisterTaskDefinitionInput struct { // resources. If none is specified, then IPC resources within the containers of a // task are private and not shared with other containers in a task or on the // container instance. If no value is specified, then the IPC resource namespace - // sharing depends on the Docker daemon setting on the container instance. For more - // information, see [IPC settings]in the Docker run reference. + // sharing depends on the Docker daemon setting on the container instance. // // If the host IPC mode is used, be aware that there is a heightened risk of - // undesired IPC namespace expose. For more information, see [Docker security]. + // undesired IPC namespace expose. // // If you are setting namespaced kernel parameters using systemControls for the // containers in the task, the following will apply to your IPC resource namespace. @@ -164,8 +159,6 @@ type RegisterTaskDefinitionInput struct { // This parameter is not supported for Windows containers or tasks run on Fargate. // // [System Controls]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html - // [Docker security]: https://docs.docker.com/engine/security/security/ - // [IPC settings]: https://docs.docker.com/engine/reference/run/#ipc-settings---ipc IpcMode types.IpcMode // The amount of memory (in MiB) used by the task. It can be expressed as an @@ -232,17 +225,15 @@ type RegisterTaskDefinitionInput struct { // user (UID 0). It is considered best practice to use a non-root user. // // If the network mode is awsvpc , the task is allocated an elastic network - // interface, and you must specify a NetworkConfigurationvalue when you create a service or run a task + // interface, and you must specify a [NetworkConfiguration]value when you create a service or run a task // with the task definition. For more information, see [Task Networking]in the Amazon Elastic // Container Service Developer Guide. // // If the network mode is host , you cannot run multiple instantiations of the same // task on a single container instance when port mappings are used. // - // For more information, see [Network settings] in the Docker run reference. - // // [Task Networking]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html - // [Network settings]: https://docs.docker.com/engine/reference/run/#network-settings + // [NetworkConfiguration]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_NetworkConfiguration.html NetworkMode types.NetworkMode // The process namespace to use for the containers in the task. The valid values @@ -257,20 +248,16 @@ type RegisterTaskDefinitionInput struct { // If task is specified, all containers within the specified task share the same // process namespace. // - // If no value is specified, the default is a private namespace for each - // container. For more information, see [PID settings]in the Docker run reference. + // If no value is specified, the default is a private namespace for each container. // // If the host PID mode is used, there's a heightened risk of undesired process - // namespace exposure. For more information, see [Docker security]. + // namespace exposure. // // This parameter is not supported for Windows containers. // // This parameter is only supported for tasks that are hosted on Fargate if the // tasks are using platform version 1.4.0 or later (Linux). This isn't supported // for Windows containers on Fargate. - // - // [PID settings]: https://docs.docker.com/engine/reference/run/#pid-settings---pid - // [Docker security]: https://docs.docker.com/engine/security/security/ PidMode types.PidMode // An array of placement constraint objects to use for the task. You can specify a diff --git a/service/ecs/api_op_RunTask.go b/service/ecs/api_op_RunTask.go index 9bd20b97508..48a7a18d824 100644 --- a/service/ecs/api_op_RunTask.go +++ b/service/ecs/api_op_RunTask.go @@ -225,12 +225,14 @@ type RunTaskInput struct { // An optional tag specified when a task is started. For example, if you // automatically trigger a task to run a batch process job, you could apply a // unique identifier for that job to your task with the startedBy parameter. You - // can then identify which tasks belong to that job by filtering the results of a ListTasks + // can then identify which tasks belong to that job by filtering the results of a [ListTasks] // call with the startedBy value. Up to 128 letters (uppercase and lowercase), - // numbers, hyphens (-), and underscores (_) are allowed. + // numbers, hyphens (-), forward slash (/), and underscores (_) are allowed. // // If a task is started by an Amazon ECS service, then the startedBy parameter // contains the deployment ID of the service that starts it. + // + // [ListTasks]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ListTasks.html StartedBy *string // The metadata that you apply to the task to help you categorize and organize diff --git a/service/ecs/api_op_StartTask.go b/service/ecs/api_op_StartTask.go index 7e12e624195..c09e57a2005 100644 --- a/service/ecs/api_op_StartTask.go +++ b/service/ecs/api_op_StartTask.go @@ -110,12 +110,14 @@ type StartTaskInput struct { // An optional tag specified when a task is started. For example, if you // automatically trigger a task to run a batch process job, you could apply a // unique identifier for that job to your task with the startedBy parameter. You - // can then identify which tasks belong to that job by filtering the results of a ListTasks + // can then identify which tasks belong to that job by filtering the results of a [ListTasks] // call with the startedBy value. Up to 36 letters (uppercase and lowercase), - // numbers, hyphens (-), and underscores (_) are allowed. + // numbers, hyphens (-), forward slash (/), and underscores (_) are allowed. // // If a task is started by an Amazon ECS service, the startedBy parameter contains // the deployment ID of the service that starts it. + // + // [ListTasks]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ListTasks.html StartedBy *string // The metadata that you apply to the task to help you categorize and organize diff --git a/service/ecs/api_op_UpdateContainerInstancesState.go b/service/ecs/api_op_UpdateContainerInstancesState.go index 64596e17471..232f8e06bf8 100644 --- a/service/ecs/api_op_UpdateContainerInstancesState.go +++ b/service/ecs/api_op_UpdateContainerInstancesState.go @@ -54,11 +54,13 @@ import ( // You must wait for them to finish or stop them manually. // // A container instance has completed draining when it has no more RUNNING tasks. -// You can verify this using ListTasks. +// You can verify this using [ListTasks]. // // When a container instance has been drained, you can set a container instance to // ACTIVE status and once it has reached that status the Amazon ECS scheduler can // begin scheduling tasks on the instance again. +// +// [ListTasks]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ListTasks.html func (c *Client) UpdateContainerInstancesState(ctx context.Context, params *UpdateContainerInstancesStateInput, optFns ...func(*Options)) (*UpdateContainerInstancesStateOutput, error) { if params == nil { params = &UpdateContainerInstancesStateInput{} diff --git a/service/ecs/deserializers.go b/service/ecs/deserializers.go index 46480da9628..dbf37e611ff 100644 --- a/service/ecs/deserializers.go +++ b/service/ecs/deserializers.go @@ -9313,6 +9313,11 @@ func awsAwsjson11_deserializeDocumentContainerDefinition(v **types.ContainerDefi return err } + case "restartPolicy": + if err := awsAwsjson11_deserializeDocumentContainerRestartPolicy(&sv.RestartPolicy, value); err != nil { + return err + } + case "secrets": if err := awsAwsjson11_deserializeDocumentSecretList(&sv.Secrets, value); err != nil { return err @@ -9899,6 +9904,64 @@ func awsAwsjson11_deserializeDocumentContainerOverrides(v *[]types.ContainerOver return nil } +func awsAwsjson11_deserializeDocumentContainerRestartPolicy(v **types.ContainerRestartPolicy, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.(map[string]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var sv *types.ContainerRestartPolicy + if *v == nil { + sv = &types.ContainerRestartPolicy{} + } else { + sv = *v + } + + for key, value := range shape { + switch key { + case "enabled": + if value != nil { + jtv, ok := value.(bool) + if !ok { + return fmt.Errorf("expected BoxedBoolean to be of type *bool, got %T instead", value) + } + sv.Enabled = ptr.Bool(jtv) + } + + case "ignoredExitCodes": + if err := awsAwsjson11_deserializeDocumentIntegerList(&sv.IgnoredExitCodes, value); err != nil { + return err + } + + case "restartAttemptPeriod": + if value != nil { + jtv, ok := value.(json.Number) + if !ok { + return fmt.Errorf("expected BoxedInteger to be json.Number, got %T instead", value) + } + i64, err := jtv.Int64() + if err != nil { + return err + } + sv.RestartAttemptPeriod = ptr.Int32(int32(i64)) + } + + default: + _, _ = key, value + + } + } + *v = sv + return nil +} + func awsAwsjson11_deserializeDocumentContainers(v *[]types.Container, value interface{}) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) @@ -11970,6 +12033,46 @@ func awsAwsjson11_deserializeDocumentInstanceHealthCheckResultList(v *[]types.In return nil } +func awsAwsjson11_deserializeDocumentIntegerList(v *[]int32, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.([]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var cv []int32 + if *v == nil { + cv = []int32{} + } else { + cv = *v + } + + for _, value := range shape { + var col int32 + if value != nil { + jtv, ok := value.(json.Number) + if !ok { + return fmt.Errorf("expected BoxedInteger to be json.Number, got %T instead", value) + } + i64, err := jtv.Int64() + if err != nil { + return err + } + col = int32(i64) + } + cv = append(cv, col) + + } + *v = cv + return nil +} + func awsAwsjson11_deserializeDocumentInvalidParameterException(v **types.InvalidParameterException, value interface{}) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) diff --git a/service/ecs/serializers.go b/service/ecs/serializers.go index 0dcfe331717..5773a64483e 100644 --- a/service/ecs/serializers.go +++ b/service/ecs/serializers.go @@ -3580,6 +3580,13 @@ func awsAwsjson11_serializeDocumentContainerDefinition(v *types.ContainerDefinit } } + if v.RestartPolicy != nil { + ok := object.Key("restartPolicy") + if err := awsAwsjson11_serializeDocumentContainerRestartPolicy(v.RestartPolicy, ok); err != nil { + return err + } + } + if v.Secrets != nil { ok := object.Key("secrets") if err := awsAwsjson11_serializeDocumentSecretList(v.Secrets, ok); err != nil { @@ -3753,6 +3760,30 @@ func awsAwsjson11_serializeDocumentContainerOverrides(v []types.ContainerOverrid return nil } +func awsAwsjson11_serializeDocumentContainerRestartPolicy(v *types.ContainerRestartPolicy, value smithyjson.Value) error { + object := value.Object() + defer object.Close() + + if v.Enabled != nil { + ok := object.Key("enabled") + ok.Boolean(*v.Enabled) + } + + if v.IgnoredExitCodes != nil { + ok := object.Key("ignoredExitCodes") + if err := awsAwsjson11_serializeDocumentIntegerList(v.IgnoredExitCodes, ok); err != nil { + return err + } + } + + if v.RestartAttemptPeriod != nil { + ok := object.Key("restartAttemptPeriod") + ok.Integer(*v.RestartAttemptPeriod) + } + + return nil +} + func awsAwsjson11_serializeDocumentContainerStateChange(v *types.ContainerStateChange, value smithyjson.Value) error { object := value.Object() defer object.Close() @@ -4395,6 +4426,17 @@ func awsAwsjson11_serializeDocumentInferenceAccelerators(v []types.InferenceAcce return nil } +func awsAwsjson11_serializeDocumentIntegerList(v []int32, value smithyjson.Value) error { + array := value.Array() + defer array.Close() + + for i := range v { + av := array.Value() + av.Integer(v[i]) + } + return nil +} + func awsAwsjson11_serializeDocumentKernelCapabilities(v *types.KernelCapabilities, value smithyjson.Value) error { object := value.Object() defer object.Close() diff --git a/service/ecs/types/errors.go b/service/ecs/types/errors.go index fd458127f28..dd15239eedc 100644 --- a/service/ecs/types/errors.go +++ b/service/ecs/types/errors.go @@ -93,6 +93,14 @@ func (e *BlockedException) ErrorFault() smithy.ErrorFault { return smithy.FaultC // using an action or resource on behalf of a user that doesn't have permissions to // use the action or resource. Or, it might be specifying an identifier that isn't // valid. +// +// The following list includes additional causes for the error: +// +// - The RunTask could not be processed because you use managed scaling and there +// is a capacity error because the quota of tasks in the PROVISIONING per cluster +// has been reached. For information about the service quotas, see [Amazon ECS service quotas]. +// +// [Amazon ECS service quotas]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-quotas.html type ClientException struct { Message *string @@ -629,8 +637,10 @@ func (e *TargetNotConnectedException) ErrorCode() string { func (e *TargetNotConnectedException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } // The specified target wasn't found. You can view your available container -// instances with ListContainerInstances. Amazon ECS container instances are cluster-specific and +// instances with [ListContainerInstances]. Amazon ECS container instances are cluster-specific and // Region-specific. +// +// [ListContainerInstances]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ListContainerInstances.html type TargetNotFoundException struct { Message *string diff --git a/service/ecs/types/types.go b/service/ecs/types/types.go index 5dcba2c554a..df07cd9e320 100644 --- a/service/ecs/types/types.go +++ b/service/ecs/types/types.go @@ -159,7 +159,8 @@ type AutoScalingGroupProviderUpdate struct { // An object representing the networking details for a task or service. For // example -// awsvpcConfiguration={subnets=["subnet-12344321"],securityGroups=["sg-12344321"]} +// awsVpcConfiguration={subnets=["subnet-12344321"],securityGroups=["sg-12344321"]} +// . type AwsVpcConfiguration struct { // The IDs of the subnets associated with the task or service. There's a limit of @@ -630,18 +631,14 @@ type Container struct { // containers that are launched as part of a task. type ContainerDefinition struct { - // The command that's passed to the container. This parameter maps to Cmd in the [Create a container] - // section of the [Docker Remote API]and the COMMAND parameter to [docker run]. For more information, see [https://docs.docker.com/engine/reference/builder/#cmd]. If + // The command that's passed to the container. This parameter maps to Cmd in the + // docker create-container command and the COMMAND parameter to docker run. If // there are multiple arguments, each argument is a separated string in the array. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ - // [https://docs.docker.com/engine/reference/builder/#cmd]: https://docs.docker.com/engine/reference/builder/#cmd Command []string // The number of cpu units reserved for the container. This parameter maps to - // CpuShares in the [Create a container] section of the [Docker Remote API] and the --cpu-shares option to [docker run]. + // CpuShares in the docker create-container commandand the --cpu-shares option to + // docker run. // // This field is optional for tasks using the Fargate launch type, and the only // requirement is that the total amount of CPU reserved for all containers within a @@ -664,11 +661,12 @@ type ContainerDefinition struct { // // On Linux container instances, the Docker daemon on the container instance uses // the CPU value to calculate the relative CPU share ratios for running containers. - // For more information, see [CPU share constraint]in the Docker documentation. The minimum valid CPU - // share value that the Linux kernel allows is 2. However, the CPU parameter isn't - // required, and you can use CPU values below 2 in your container definitions. For - // CPU values below 2 (including null), the behavior varies based on your Amazon - // ECS container agent version: + // The minimum valid CPU share value that the Linux kernel allows is 2, and the + // maximum valid CPU share value that the Linux kernel allows is 262144. However, + // the CPU parameter isn't required, and you can use CPU values below 2 or above + // 262144 in your container definitions. For CPU values below 2 (including null) or + // above 262144, the behavior varies based on your Amazon ECS container agent + // version: // // - Agent versions less than or equal to 1.1.0: Null and zero CPU values are // passed to Docker as 0, which Docker then converts to 1,024 CPU shares. CPU @@ -678,16 +676,15 @@ type ContainerDefinition struct { // - Agent versions greater than or equal to 1.2.0: Null, zero, and CPU values // of 1 are passed to Docker as 2. // + // - Agent versions greater than or equal to 1.84.0: CPU values greater than 256 + // vCPU are passed to Docker as 256, which is equivalent to 262144 CPU shares. + // // On Windows container instances, the CPU limit is enforced as an absolute limit, // or a quota. Windows containers only have access to the specified amount of CPU // that's described in the task definition. A null or zero CPU value is passed to // Docker as 0 , which Windows interprets as 1% of one CPU. // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [CPU share constraint]: https://docs.docker.com/engine/reference/run/#cpu-share-constraint // [Amazon EC2 Instances]: http://aws.amazon.com/ec2/instance-types/ - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ Cpu int32 // A list of ARNs in SSM or Amazon S3 to a credential spec ( CredSpec ) file that @@ -753,50 +750,36 @@ type ContainerDefinition struct { DependsOn []ContainerDependency // When this parameter is true, networking is off within the container. This - // parameter maps to NetworkDisabled in the [Create a container] section of the [Docker Remote API]. + // parameter maps to NetworkDisabled in the docker create-container command. // // This parameter is not supported for Windows containers. - // - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ DisableNetworking *bool // A list of DNS search domains that are presented to the container. This - // parameter maps to DnsSearch in the [Create a container] section of the [Docker Remote API] and the --dns-search option - // to [docker run]. + // parameter maps to DnsSearch in the docker create-container command and the + // --dns-search option to docker run. // // This parameter is not supported for Windows containers. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ DnsSearchDomains []string // A list of DNS servers that are presented to the container. This parameter maps - // to Dns in the [Create a container] section of the [Docker Remote API] and the --dns option to [docker run]. + // to Dns in the the docker create-container command and the --dns option to + // docker run. // // This parameter is not supported for Windows containers. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ DnsServers []string // A key/value map of labels to add to the container. This parameter maps to Labels - // in the [Create a container]section of the [Docker Remote API] and the --label option to [docker run]. This parameter requires - // version 1.18 of the Docker Remote API or greater on your container instance. To - // check the Docker Remote API version on your container instance, log in to your - // container instance and run the following command: sudo docker version --format - // '{{.Server.APIVersion}}' - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ + // in the docker create-container command and the --label option to docker run. + // This parameter requires version 1.18 of the Docker Remote API or greater on your + // container instance. To check the Docker Remote API version on your container + // instance, log in to your container instance and run the following command: sudo + // docker version --format '{{.Server.APIVersion}}' DockerLabels map[string]string // A list of strings to provide custom configuration for multiple security - // systems. For more information about valid values, see [Docker Run Security Configuration]. This field isn't valid - // for containers in tasks using the Fargate launch type. + // systems. This field isn't valid for containers in tasks using the Fargate launch + // type. // // For Linux tasks on EC2, this parameter can be used to reference custom labels // for SELinux and AppArmor multi-level security systems. @@ -805,8 +788,8 @@ type ContainerDefinition struct { // file that configures a container for Active Directory authentication. For more // information, see [Using gMSAs for Windows Containers]and [Using gMSAs for Linux Containers] in the Amazon Elastic Container Service Developer Guide. // - // This parameter maps to SecurityOpt in the [Create a container] section of the [Docker Remote API] and the - // --security-opt option to [docker run]. + // This parameter maps to SecurityOpt in the docker create-container command and + // the --security-opt option to docker run. // // The Amazon ECS container agent running on a container instance must register // with the ECS_SELINUX_CAPABLE=true or ECS_APPARMOR_CAPABLE=true environment @@ -814,17 +797,11 @@ type ContainerDefinition struct { // options. For more information, see [Amazon ECS Container Agent Configuration]in the Amazon Elastic Container Service // Developer Guide. // - // For more information about valid values, see [Docker Run Security Configuration]. - // // Valid values: "no-new-privileges" | "apparmor:PROFILE" | "label:value" | // "credentialspec:CredentialSpecFilePath" // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Docker Run Security Configuration]: https://docs.docker.com/engine/reference/run/#security-configuration // [Using gMSAs for Windows Containers]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/windows-gmsa.html - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate // [Using gMSAs for Linux Containers]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/linux-gmsa.html - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ // [Amazon ECS Container Agent Configuration]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html DockerSecurityOptions []string @@ -834,33 +811,24 @@ type ContainerDefinition struct { // instead. // // The entry point that's passed to the container. This parameter maps to - // Entrypoint in the [Create a container] section of the [Docker Remote API] and the --entrypoint option to [docker run]. For more - // information, see [https://docs.docker.com/engine/reference/builder/#entrypoint]. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [https://docs.docker.com/engine/reference/builder/#entrypoint]: https://docs.docker.com/engine/reference/builder/#entrypoint - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ + // Entrypoint in tthe docker create-container command and the --entrypoint option + // to docker run. EntryPoint []string // The environment variables to pass to a container. This parameter maps to Env in - // the [Create a container]section of the [Docker Remote API] and the --env option to [docker run]. + // the docker create-container command and the --env option to docker run. // // We don't recommend that you use plaintext environment variables for sensitive // information, such as credential data. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ Environment []KeyValuePair // A list of files containing the environment variables to pass to a container. - // This parameter maps to the --env-file option to [docker run]. + // This parameter maps to the --env-file option to docker run. // // You can specify up to ten environment files. The file must have a .env file // extension. Each line in an environment file contains an environment variable in // VARIABLE=VALUE format. Lines beginning with # are treated as comments and are - // ignored. For more information about the environment variable file syntax, see [Declare default environment variables in file]. + // ignored. // // If there are environment variables specified using the environment parameter in // a container definition, they take precedence over the variables contained within @@ -869,8 +837,6 @@ type ContainerDefinition struct { // use unique variable names. For more information, see [Specifying Environment Variables]in the Amazon Elastic // Container Service Developer Guide. // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Declare default environment variables in file]: https://docs.docker.com/compose/env-file/ // [Specifying Environment Variables]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html EnvironmentFiles []EnvironmentFile @@ -890,15 +856,11 @@ type ContainerDefinition struct { Essential *bool // A list of hostnames and IP address mappings to append to the /etc/hosts file on - // the container. This parameter maps to ExtraHosts in the [Create a container] section of the [Docker Remote API] and - // the --add-host option to [docker run]. + // the container. This parameter maps to ExtraHosts in the docker create-container + // command and the --add-host option to docker run. // // This parameter isn't supported for Windows containers or tasks that use the // awsvpc network mode. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ ExtraHosts []HostEntry // The FireLens configuration for the container. This is used to specify and @@ -909,22 +871,14 @@ type ContainerDefinition struct { FirelensConfiguration *FirelensConfiguration // The container health check command and associated configuration parameters for - // the container. This parameter maps to HealthCheck in the [Create a container] section of the [Docker Remote API] and - // the HEALTHCHECK parameter of [docker run]. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ + // the container. This parameter maps to HealthCheck in the docker + // create-container command and the HEALTHCHECK parameter of docker run. HealthCheck *HealthCheck - // The hostname to use for your container. This parameter maps to Hostname in the [Create a container] - // section of the [Docker Remote API]and the --hostname option to [docker run]. + // The hostname to use for your container. This parameter maps to Hostname in + // thethe docker create-container command and the --hostname option to docker run. // // The hostname parameter is not supported if you're using the awsvpc network mode. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ Hostname *string // The image used to start a container. This string is passed directly to the @@ -932,8 +886,8 @@ type ContainerDefinition struct { // Other repositories are specified with either repository-url/image:tag or // repository-url/image@digest . Up to 255 letters (uppercase and lowercase), // numbers, hyphens, underscores, colons, periods, forward slashes, and number - // signs are allowed. This parameter maps to Image in the [Create a container] section of the [Docker Remote API] and the - // IMAGE parameter of [docker run]. + // signs are allowed. This parameter maps to Image in the docker create-container + // command and the IMAGE parameter of docker run. // // - When a new task starts, the Amazon ECS container agent pulls the latest // version of the specified image and tag for the container to use. However, @@ -954,28 +908,19 @@ type ContainerDefinition struct { // // - Images in other online repositories are qualified further by a domain name // (for example, quay.io/assemblyline/ubuntu ). - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ Image *string // When this parameter is true , you can deploy containerized applications that - // require stdin or a tty to be allocated. This parameter maps to OpenStdin in the [Create a container] - // section of the [Docker Remote API]and the --interactive option to [docker run]. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ + // require stdin or a tty to be allocated. This parameter maps to OpenStdin in the + // docker create-container command and the --interactive option to docker run. Interactive *bool // The links parameter allows containers to communicate with each other without // the need for port mappings. This parameter is only supported if the network mode // of a task definition is bridge . The name:internalName construct is analogous // to name:alias in Docker links. Up to 255 letters (uppercase and lowercase), - // numbers, underscores, and hyphens are allowed. For more information about - // linking Docker containers, go to [Legacy container links]in the Docker documentation. This parameter - // maps to Links in the [Create a container] section of the [Docker Remote API] and the --link option to [docker run]. + // numbers, underscores, and hyphens are allowed.. This parameter maps to Links in + // the docker create-container command and the --link option to docker run. // // This parameter is not supported for Windows containers. // @@ -983,11 +928,6 @@ type ContainerDefinition struct { // communicate with each other without requiring links or host port mappings. // Network isolation is achieved on the container instance using security groups // and VPC settings. - // - // [Legacy container links]: https://docs.docker.com/network/links/ - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ Links []string // Linux-specific modifications that are applied to the container, such as Linux @@ -998,14 +938,13 @@ type ContainerDefinition struct { // The log configuration specification for the container. // - // This parameter maps to LogConfig in the [Create a container] section of the [Docker Remote API] and the --log-driver - // option to [docker run]. By default, containers use the same logging driver that the Docker - // daemon uses. However the container can use a different logging driver than the - // Docker daemon by specifying a log driver with this parameter in the container - // definition. To use a different logging driver for a container, the log system - // must be configured properly on the container instance (or on a different log - // server for remote logging options). For more information about the options for - // different supported log drivers, see [Configure logging drivers]in the Docker documentation. + // This parameter maps to LogConfig in the docker create-container command and the + // --log-driver option to docker run. By default, containers use the same logging + // driver that the Docker daemon uses. However the container can use a different + // logging driver than the Docker daemon by specifying a log driver with this + // parameter in the container definition. To use a different logging driver for a + // container, the log system must be configured properly on the container instance + // (or on a different log server for remote logging options). // // Amazon ECS currently supports a subset of the logging drivers available to the // Docker daemon (shown in the LogConfigurationdata type). Additional log drivers may be available @@ -1022,10 +961,6 @@ type ContainerDefinition struct { // that instance can use these log configuration options. For more information, see // [Amazon ECS Container Agent Configuration]in the Amazon Elastic Container Service Developer Guide. // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Configure logging drivers]: https://docs.docker.com/engine/admin/logging/overview/ - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ // [Amazon ECS Container Agent Configuration]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html LogConfiguration *LogConfiguration @@ -1033,7 +968,7 @@ type ContainerDefinition struct { // attempts to exceed the memory specified here, the container is killed. The total // amount of memory reserved for all containers within a task must be lower than // the task memory value, if one is specified. This parameter maps to Memory in - // the [Create a container]section of the [Docker Remote API] and the --memory option to [docker run]. + // thethe docker create-container command and the --memory option to docker run. // // If using the Fargate launch type, this parameter is optional. // @@ -1050,10 +985,6 @@ type ContainerDefinition struct { // The Docker 19.03.13-ce or earlier daemon reserves a minimum of 4 MiB of memory // for a container. So, don't specify less than 4 MiB of memory for your // containers. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ Memory *int32 // The soft limit (in MiB) of memory to reserve for the container. When system @@ -1061,8 +992,8 @@ type ContainerDefinition struct { // to this soft limit. However, your container can consume more memory when it // needs to, up to either the hard limit specified with the memory parameter (if // applicable), or all of the available memory on the container instance, whichever - // comes first. This parameter maps to MemoryReservation in the [Create a container] section of the [Docker Remote API] - // and the --memory-reservation option to [docker run]. + // comes first. This parameter maps to MemoryReservation in the the docker + // create-container command and the --memory-reservation option to docker run. // // If a task-level memory value is not specified, you must specify a non-zero // integer for one or both of memory or memoryReservation in a container @@ -1084,35 +1015,24 @@ type ContainerDefinition struct { // The Docker 19.03.13-ce or earlier daemon reserves a minimum of 4 MiB of memory // for a container. So, don't specify less than 4 MiB of memory for your // containers. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ MemoryReservation *int32 // The mount points for data volumes in your container. // - // This parameter maps to Volumes in the [Create a container] section of the [Docker Remote API] and the --volume option - // to [docker run]. + // This parameter maps to Volumes in the the docker create-container command and + // the --volume option to docker run. // // Windows containers can mount whole directories on the same drive as // $env:ProgramData . Windows containers can't mount directories on a different // drive, and mount point can't be across drives. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ MountPoints []MountPoint // The name of a container. If you're linking multiple containers together in a // task definition, the name of one container can be entered in the links of // another container to connect the containers. Up to 255 letters (uppercase and // lowercase), numbers, underscores, and hyphens are allowed. This parameter maps - // to name in the [Create a container] section of the [Docker Remote API] and the --name option to [docker run]. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ + // to name in tthe docker create-container command and the --name option to docker + // run. Name *string // The list of port mappings for the container. Port mappings allow containers to @@ -1126,50 +1046,35 @@ type ContainerDefinition struct { // There's no loopback for port mappings on Windows, so you can't access a // container's mapped port from the host itself. // - // This parameter maps to PortBindings in the [Create a container] section of the [Docker Remote API] and the --publish - // option to [docker run]. If the network mode of a task definition is set to none , then you - // can't specify port mappings. If the network mode of a task definition is set to - // host , then host ports must either be undefined or they must match the container - // port in the port mapping. + // This parameter maps to PortBindings in the the docker create-container command + // and the --publish option to docker run. If the network mode of a task + // definition is set to none , then you can't specify port mappings. If the network + // mode of a task definition is set to host , then host ports must either be + // undefined or they must match the container port in the port mapping. // // After a task reaches the RUNNING status, manual and automatic host and // container port assignments are visible in the Network Bindings section of a // container description for a selected task in the Amazon ECS console. The // assignments are also visible in the networkBindings section DescribeTasks responses. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ PortMappings []PortMapping // When this parameter is true, the container is given elevated privileges on the // host container instance (similar to the root user). This parameter maps to - // Privileged in the [Create a container] section of the [Docker Remote API] and the --privileged option to [docker run]. + // Privileged in the the docker create-container command and the --privileged + // option to docker run // // This parameter is not supported for Windows containers or tasks run on Fargate. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ Privileged *bool // When this parameter is true , a TTY is allocated. This parameter maps to Tty in - // the [Create a container]section of the [Docker Remote API] and the --tty option to [docker run]. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ + // tthe docker create-container command and the --tty option to docker run. PseudoTerminal *bool // When this parameter is true, the container is given read-only access to its - // root file system. This parameter maps to ReadonlyRootfs in the [Create a container] section of the [Docker Remote API] - // and the --read-only option to [docker run]. + // root file system. This parameter maps to ReadonlyRootfs in the docker + // create-container command and the --read-only option to docker run. // // This parameter is not supported for Windows containers. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ ReadonlyRootFilesystem *bool // The private repository authentication credentials to use. @@ -1179,6 +1084,13 @@ type ContainerDefinition struct { // resource is a GPU. ResourceRequirements []ResourceRequirement + // The restart policy for a container. When you set up a restart policy, Amazon + // ECS can restart the container without needing to replace the task. For more + // information, see [Restart individual containers in Amazon ECS tasks with container restart policies]in the Amazon Elastic Container Service Developer Guide. + // + // [Restart individual containers in Amazon ECS tasks with container restart policies]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-restart-policy.html + RestartPolicy *ContainerRestartPolicy + // The secrets to pass to the container. For more information, see [Specifying Sensitive Data] in the Amazon // Elastic Container Service Developer Guide. // @@ -1213,7 +1125,7 @@ type ContainerDefinition struct { // ecs-init . For more information, see [Amazon ECS-optimized Linux AMI] in the Amazon Elastic Container Service // Developer Guide. // - // The valid values are 2-120 seconds. + // The valid values for Fargate are 2-120 seconds. // // [Updating the Amazon ECS Container Agent]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html // [Amazon ECS-optimized Linux AMI]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html @@ -1255,25 +1167,21 @@ type ContainerDefinition struct { StopTimeout *int32 // A list of namespaced kernel parameters to set in the container. This parameter - // maps to Sysctls in the [Create a container] section of the [Docker Remote API] and the --sysctl option to [docker run]. For - // example, you can configure net.ipv4.tcp_keepalive_time setting to maintain - // longer lived connections. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ + // maps to Sysctls in tthe docker create-container command and the --sysctl option + // to docker run. For example, you can configure net.ipv4.tcp_keepalive_time + // setting to maintain longer lived connections. SystemControls []SystemControl // A list of ulimits to set in the container. If a ulimit value is specified in a // task definition, it overrides the default values set by Docker. This parameter - // maps to Ulimits in the [Create a container] section of the [Docker Remote API] and the --ulimit option to [docker run]. Valid - // naming values are displayed in the Ulimitdata type. + // maps to Ulimits in tthe docker create-container command and the --ulimit option + // to docker run. Valid naming values are displayed in the Ulimitdata type. // // Amazon ECS tasks hosted on Fargate use the default resource limit values set by // the operating system with the exception of the nofile resource limit parameter // which Fargate overrides. The nofile resource limit sets a restriction on the // number of open files that a container can use. The default nofile soft limit is - // 1024 and the default hard limit is 65535 . + // 65535 and the default hard limit is 65535 . // // This parameter requires version 1.18 of the Docker Remote API or greater on // your container instance. To check the Docker Remote API version on your @@ -1281,14 +1189,10 @@ type ContainerDefinition struct { // command: sudo docker version --format '{{.Server.APIVersion}}' // // This parameter is not supported for Windows containers. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ Ulimits []Ulimit - // The user to use inside the container. This parameter maps to User in the [Create a container] - // section of the [Docker Remote API]and the --user option to [docker run]. + // The user to use inside the container. This parameter maps to User in the docker + // create-container command and the --user option to docker run. // // When running tasks using the host network mode, don't run containers using the // root user (UID 0). We recommend using a non-root user for better security. @@ -1309,26 +1213,16 @@ type ContainerDefinition struct { // - uid:group // // This parameter is not supported for Windows containers. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ User *string // Data volumes to mount from another container. This parameter maps to VolumesFrom - // in the [Create a container]section of the [Docker Remote API] and the --volumes-from option to [docker run]. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ + // in tthe docker create-container command and the --volumes-from option to docker + // run. VolumesFrom []VolumeFrom // The working directory to run commands inside the container in. This parameter - // maps to WorkingDir in the [Create a container] section of the [Docker Remote API] and the --workdir option to [docker run]. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ + // maps to WorkingDir in the docker create-container command and the --workdir + // option to docker run. WorkingDirectory *string noSmithyDocumentSerde @@ -1593,6 +1487,37 @@ type ContainerOverride struct { noSmithyDocumentSerde } +// You can enable a restart policy for each container defined in your task +// definition, to overcome transient failures faster and maintain task +// availability. When you enable a restart policy for a container, Amazon ECS can +// restart the container if it exits, without needing to replace the task. For more +// information, see [Restart individual containers in Amazon ECS tasks with container restart policies]in the Amazon Elastic Container Service Developer Guide. +// +// [Restart individual containers in Amazon ECS tasks with container restart policies]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-restart-policy.html +type ContainerRestartPolicy struct { + + // Specifies whether a restart policy is enabled for the container. + // + // This member is required. + Enabled *bool + + // A list of exit codes that Amazon ECS will ignore and not attempt a restart on. + // You can specify a maximum of 50 container exit codes. By default, Amazon ECS + // does not ignore any exit codes. + IgnoredExitCodes []int32 + + // A period of time (in seconds) that the container must run for before a restart + // can be attempted. A container can be restarted only once every + // restartAttemptPeriod seconds. If a container isn't able to run for this time + // period and exits early, it will not be restarted. You can set a minimum + // restartAttemptPeriod of 60 seconds and a maximum restartAttemptPeriod of 1800 + // seconds. By default, a container must run for 300 seconds before it can be + // restarted. + RestartAttemptPeriod *int32 + + noSmithyDocumentSerde +} + // An object that represents a change in state for a container. type ContainerStateChange struct { @@ -1988,30 +1913,19 @@ type DockerVolumeConfiguration struct { // provided by Docker because it is used for task placement. If the driver was // installed using the Docker plugin CLI, use docker plugin ls to retrieve the // driver name from your container instance. If the driver was installed using - // another method, use Docker plugin discovery to retrieve the driver name. For - // more information, see [Docker plugin discovery]. This parameter maps to Driver in the [Create a volume] section of the [Docker Remote API] - // and the xxdriver option to [docker volume create]. - // - // [Create a volume]: https://docs.docker.com/engine/api/v1.35/#operation/VolumeCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ - // [docker volume create]: https://docs.docker.com/engine/reference/commandline/volume_create/ - // [Docker plugin discovery]: https://docs.docker.com/engine/extend/plugin_api/#plugin-discovery + // another method, use Docker plugin discovery to retrieve the driver name. This + // parameter maps to Driver in the docker create-container command and the xxdriver + // option to docker volume create. Driver *string // A map of Docker driver-specific options passed through. This parameter maps to - // DriverOpts in the [Create a volume] section of the [Docker Remote API] and the xxopt option to [docker volume create]. - // - // [Create a volume]: https://docs.docker.com/engine/api/v1.35/#operation/VolumeCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ - // [docker volume create]: https://docs.docker.com/engine/reference/commandline/volume_create/ + // DriverOpts in the docker create-volume command and the xxopt option to docker + // volume create. DriverOpts map[string]string // Custom metadata to add to your Docker volume. This parameter maps to Labels in - // the [Create a volume]section of the [Docker Remote API] and the xxlabel option to [docker volume create]. - // - // [Create a volume]: https://docs.docker.com/engine/api/v1.35/#operation/VolumeCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ - // [docker volume create]: https://docs.docker.com/engine/reference/commandline/volume_create/ + // the docker create-container command and the xxlabel option to docker volume + // create. Labels map[string]string // The scope for the Docker volume that determines its lifecycle. Docker volumes @@ -2349,7 +2263,7 @@ type FSxWindowsFileServerVolumeConfiguration struct { // are specified in a container definition override any Docker health checks that // exist in the container image (such as those specified in a parent image or from // the image's Dockerfile). This configuration maps to the HEALTHCHECK parameter -// of [docker run]. +// of docker run. // // The Amazon ECS container agent only monitors and reports on the health checks // specified in the task definition. Amazon ECS does not monitor Docker health @@ -2447,7 +2361,6 @@ type FSxWindowsFileServerVolumeConfiguration struct { // - Container health checks aren't supported for tasks that are part of a // service that's configured to use a Classic Load Balancer. // -// [docker run]: https://docs.docker.com/engine/reference/run/ // [Updating the Amazon ECS container agent]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html // [Fargate platform versions]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html type HealthCheck struct { @@ -2469,10 +2382,7 @@ type HealthCheck struct { // CMD-SHELL, curl -f http://localhost/ || exit 1 // // An exit code of 0 indicates success, and non-zero exit code indicates failure. - // For more information, see HealthCheck in the [Create a container] section of the [Docker Remote API]. - // - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ + // For more information, see HealthCheck in tthe docker create-container command // // This member is required. Command []string @@ -2599,18 +2509,15 @@ type InstanceHealthCheckResult struct { } // The Linux capabilities to add or remove from the default Docker configuration -// for a container defined in the task definition. For more information about the -// default capabilities and the non-default available capabilities, see [Runtime privilege and Linux capabilities]in the -// Docker run reference. For more detailed information about these Linux -// capabilities, see the [capabilities(7)]Linux manual page. +// for a container defined in the task definition. For more detailed information +// about these Linux capabilities, see the [capabilities(7)]Linux manual page. // -// [Runtime privilege and Linux capabilities]: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities // [capabilities(7)]: http://man7.org/linux/man-pages/man7/capabilities.7.html type KernelCapabilities struct { // The Linux capabilities for the container that have been added to the default - // configuration provided by Docker. This parameter maps to CapAdd in the [Create a container] section - // of the [Docker Remote API]and the --cap-add option to [docker run]. + // configuration provided by Docker. This parameter maps to CapAdd in the docker + // create-container command and the --cap-add option to docker run. // // Tasks launched on Fargate only support adding the SYS_PTRACE kernel capability. // @@ -2622,15 +2529,11 @@ type KernelCapabilities struct { // "SYS_BOOT" | "SYS_CHROOT" | "SYS_MODULE" | "SYS_NICE" | "SYS_PACCT" | // "SYS_PTRACE" | "SYS_RAWIO" | "SYS_RESOURCE" | "SYS_TIME" | "SYS_TTY_CONFIG" | // "SYSLOG" | "WAKE_ALARM" - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ Add []string // The Linux capabilities for the container that have been removed from the - // default configuration provided by Docker. This parameter maps to CapDrop in the [Create a container] - // section of the [Docker Remote API]and the --cap-drop option to [docker run]. + // default configuration provided by Docker. This parameter maps to CapDrop in the + // docker create-container command and the --cap-drop option to docker run. // // Valid values: "ALL" | "AUDIT_CONTROL" | "AUDIT_WRITE" | "BLOCK_SUSPEND" | // "CHOWN" | "DAC_OVERRIDE" | "DAC_READ_SEARCH" | "FOWNER" | "FSETID" | "IPC_LOCK" @@ -2640,10 +2543,6 @@ type KernelCapabilities struct { // "SYS_BOOT" | "SYS_CHROOT" | "SYS_MODULE" | "SYS_NICE" | "SYS_PACCT" | // "SYS_PTRACE" | "SYS_RAWIO" | "SYS_RESOURCE" | "SYS_TIME" | "SYS_TTY_CONFIG" | // "SYSLOG" | "WAKE_ALARM" - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ Drop []string noSmithyDocumentSerde @@ -2677,14 +2576,10 @@ type LinuxParameters struct { Capabilities *KernelCapabilities // Any host devices to expose to the container. This parameter maps to Devices in - // the [Create a container]section of the [Docker Remote API] and the --device option to [docker run]. + // tthe docker create-container command and the --device option to docker run. // // If you're using tasks that use the Fargate launch type, the devices parameter // isn't supported. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ Devices []Device // Run an init process inside the container that forwards signals and reaps @@ -2716,12 +2611,10 @@ type LinuxParameters struct { MaxSwap *int32 // The value for the size (in MiB) of the /dev/shm volume. This parameter maps to - // the --shm-size option to [docker run]. + // the --shm-size option to docker run. // // If you are using tasks that use the Fargate launch type, the sharedMemorySize // parameter is not supported. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration SharedMemorySize *int32 // This allows you to tune a container's memory swappiness behavior. A swappiness @@ -2730,24 +2623,20 @@ type LinuxParameters struct { // Accepted values are whole numbers between 0 and 100 . If the swappiness // parameter is not specified, a default value of 60 is used. If a value is not // specified for maxSwap then this parameter is ignored. This parameter maps to - // the --memory-swappiness option to [docker run]. + // the --memory-swappiness option to docker run. // // If you're using tasks that use the Fargate launch type, the swappiness // parameter isn't supported. // // If you're using tasks on Amazon Linux 2023 the swappiness parameter isn't // supported. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration Swappiness *int32 // The container path, mount options, and size (in MiB) of the tmpfs mount. This - // parameter maps to the --tmpfs option to [docker run]. + // parameter maps to the --tmpfs option to docker run. // // If you're using tasks that use the Fargate launch type, the tmpfs parameter // isn't supported. - // - // [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration Tmpfs []Tmpfs noSmithyDocumentSerde @@ -2818,13 +2707,11 @@ type LoadBalancer struct { } // The log configuration for the container. This parameter maps to LogConfig in -// the [Create a container]section of the [Docker Remote API] and the --log-driver option to [docker run]docker run . +// the docker create-container command and the --log-driver option to docker run. // // By default, containers use the same logging driver that the Docker daemon uses. // However, the container might use a different logging driver than the Docker -// daemon by specifying a log driver configuration in the container definition. For -// more information about the options for different supported log drivers, see [Configure logging drivers]in -// the Docker documentation. +// daemon by specifying a log driver configuration in the container definition. // // Understand the following when specifying a log configuration for your // containers. @@ -2839,8 +2726,7 @@ type LoadBalancer struct { // // For tasks hosted on Amazon EC2 instances, the supported log drivers are awslogs // -// , fluentd , gelf , json-file , journald , logentries , syslog , splunk , and -// awsfirelens . +// , fluentd , gelf , json-file , journald , syslog , splunk , and awsfirelens . // // - This parameter requires version 1.18 of the Docker Remote API or greater on // your container instance. @@ -2856,11 +2742,6 @@ type LoadBalancer struct { // needed must be installed outside of the task. For example, the Fluentd output // aggregators or a remote host running Logstash to send Gelf logs to. // -// [docker run]: https://docs.docker.com/engine/reference/commandline/run/ -// [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate -// [Configure logging drivers]: https://docs.docker.com/engine/admin/logging/overview/ -// [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ -// // [Amazon ECS container agent configuration]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html type LogConfiguration struct { @@ -2870,14 +2751,12 @@ type LogConfiguration struct { // awsfirelens . // // For tasks hosted on Amazon EC2 instances, the supported log drivers are awslogs - // , fluentd , gelf , json-file , journald , logentries , syslog , splunk , and - // awsfirelens . + // , fluentd , gelf , json-file , journald , syslog , splunk , and awsfirelens . // - // For more information about using the awslogs log driver, see [Using the awslogs log driver] in the Amazon + // For more information about using the awslogs log driver, see [Send Amazon ECS logs to CloudWatch] in the Amazon // Elastic Container Service Developer Guide. // - // For more information about using the awsfirelens log driver, see [Custom log routing] in the Amazon - // Elastic Container Service Developer Guide. + // For more information about using the awsfirelens log driver, see [Send Amazon ECS logs to an Amazon Web Services service or Amazon Web Services Partner]. // // If you have a custom driver that isn't listed, you can fork the Amazon ECS // container agent project that's [available on GitHub]and customize it to work with that driver. We @@ -2885,9 +2764,9 @@ type LogConfiguration struct { // included. However, we don't currently provide support for running modified // copies of this software. // + // [Send Amazon ECS logs to an Amazon Web Services service or Amazon Web Services Partner]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_firelens.html + // [Send Amazon ECS logs to CloudWatch]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html // [available on GitHub]: https://github.com/aws/amazon-ecs-agent - // [Using the awslogs log driver]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html - // [Custom log routing]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_firelens.html // // This member is required. LogDriver LogDriver @@ -3217,9 +3096,9 @@ type PlatformDevice struct { // must be the same value as the containerPort . // // Most fields of this parameter ( containerPort , hostPort , protocol ) maps to -// PortBindings in the [Create a container] section of the [Docker Remote API] and the --publish option to [docker run]docker run . If -// the network mode of a task definition is set to host , host ports must either be -// undefined or match the container port in the port mapping. +// PortBindings in the docker create-container command and the --publish option to +// docker run . If the network mode of a task definition is set to host , host +// ports must either be undefined or match the container port in the port mapping. // // You can't expose the same container port for multiple protocols. If you attempt // this, an error is returned. @@ -3227,10 +3106,6 @@ type PlatformDevice struct { // After a task reaches the RUNNING status, manual and automatic host and // container port assignments are visible in the networkBindings section of DescribeTasks API // responses. -// -// [docker run]: https://docs.docker.com/engine/reference/commandline/run/ -// [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate -// [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ type PortMapping struct { // The application protocol that's used for the port mapping. This parameter only @@ -3859,13 +3734,11 @@ type ServiceConnectConfiguration struct { Enabled bool // The log configuration for the container. This parameter maps to LogConfig in - // the [Create a container]section of the [Docker Remote API] and the --log-driver option to [docker run]docker run . + // the docker create-container command and the --log-driver option to docker run. // // By default, containers use the same logging driver that the Docker daemon uses. // However, the container might use a different logging driver than the Docker - // daemon by specifying a log driver configuration in the container definition. For - // more information about the options for different supported log drivers, see [Configure logging drivers]in - // the Docker documentation. + // daemon by specifying a log driver configuration in the container definition. // // Understand the following when specifying a log configuration for your // containers. @@ -3878,8 +3751,7 @@ type ServiceConnectConfiguration struct { // awsfirelens . // // For tasks hosted on Amazon EC2 instances, the supported log drivers are awslogs - // , fluentd , gelf , json-file , journald , logentries , syslog , splunk , and - // awsfirelens . + // , fluentd , gelf , json-file , journald , syslog , splunk , and awsfirelens . // // - This parameter requires version 1.18 of the Docker Remote API or greater on // your container instance. @@ -3895,11 +3767,7 @@ type ServiceConnectConfiguration struct { // needed must be installed outside of the task. For example, the Fluentd output // aggregators or a remote host running Logstash to send Gelf logs to. // - // [docker run]: https://docs.docker.com/engine/reference/commandline/run/ - // [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate - // [Configure logging drivers]: https://docs.docker.com/engine/admin/logging/overview/ // [Amazon ECS container agent configuration]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html - // [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ LogConfiguration *LogConfiguration // The namespace name or full Amazon Resource Name (ARN) of the Cloud Map @@ -4302,9 +4170,9 @@ type Setting struct { } // A list of namespaced kernel parameters to set in the container. This parameter -// maps to Sysctls in the [Create a container] section of the [Docker Remote API] and the --sysctl option to [docker run]. For -// example, you can configure net.ipv4.tcp_keepalive_time setting to maintain -// longer lived connections. +// maps to Sysctls in tthe docker create-container command and the --sysctl option +// to docker run. For example, you can configure net.ipv4.tcp_keepalive_time +// setting to maintain longer lived connections. // // We don't recommend that you specify network-related systemControls parameters // for multiple containers in a single task that also uses either the awsvpc or @@ -4334,10 +4202,7 @@ type Setting struct { // tasks are using platform version 1.4.0 or later (Linux). This isn't supported // for Windows containers on Fargate. // -// [docker run]: https://docs.docker.com/engine/reference/run/#security-configuration -// [Create a container]: https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate // [IPC mode]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_definition_ipcmode -// [Docker Remote API]: https://docs.docker.com/engine/api/v1.35/ type SystemControl struct { // The namespaced kernel parameter to set a value for. @@ -4679,6 +4544,9 @@ type TaskDefinition struct { // this field is required. You must use one of the following values. The value that // you choose determines your range of valid values for the memory parameter. // + // If you use the EC2 launch type, this field is optional. Supported values are + // between 128 CPU units ( 0.125 vCPUs) and 10240 CPU units ( 10 vCPUs). + // // The CPU units cannot be less than 1 vCPU when you use Windows containers on // Fargate. // @@ -4714,11 +4582,10 @@ type TaskDefinition struct { // The Amazon Resource Name (ARN) of the task execution role that grants the // Amazon ECS container agent permission to make Amazon Web Services API calls on - // your behalf. The task execution IAM role is required depending on the - // requirements of your task. For more information, see [Amazon ECS task execution IAM role]in the Amazon Elastic - // Container Service Developer Guide. + // your behalf. For informationabout the required IAM roles for Amazon ECS, see [IAM roles for Amazon ECS]in + // the Amazon Elastic Container Service Developer Guide. // - // [Amazon ECS task execution IAM role]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html + // [IAM roles for Amazon ECS]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-ecs-iam-role-overview.html ExecutionRoleArn *string // The name of a family that this task definition is registered to. Up to 255 @@ -4742,11 +4609,10 @@ type TaskDefinition struct { // resources. If none is specified, then IPC resources within the containers of a // task are private and not shared with other containers in a task or on the // container instance. If no value is specified, then the IPC resource namespace - // sharing depends on the Docker daemon setting on the container instance. For more - // information, see [IPC settings]in the Docker run reference. + // sharing depends on the Docker daemon setting on the container instance. // // If the host IPC mode is used, be aware that there is a heightened risk of - // undesired IPC namespace expose. For more information, see [Docker security]. + // undesired IPC namespace expose. // // If you are setting namespaced kernel parameters using systemControls for the // containers in the task, the following will apply to your IPC resource namespace. @@ -4762,8 +4628,6 @@ type TaskDefinition struct { // This parameter is not supported for Windows containers or tasks run on Fargate. // // [System Controls]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html - // [Docker security]: https://docs.docker.com/engine/security/security/ - // [IPC settings]: https://docs.docker.com/engine/reference/run/#ipc-settings---ipc IpcMode IpcMode // The amount (in MiB) of memory used by the task. @@ -4827,17 +4691,15 @@ type TaskDefinition struct { // user (UID 0). It is considered best practice to use a non-root user. // // If the network mode is awsvpc , the task is allocated an elastic network - // interface, and you must specify a NetworkConfigurationvalue when you create a service or run a task + // interface, and you must specify a [NetworkConfiguration]value when you create a service or run a task // with the task definition. For more information, see [Task Networking]in the Amazon Elastic // Container Service Developer Guide. // // If the network mode is host , you cannot run multiple instantiations of the same // task on a single container instance when port mappings are used. // - // For more information, see [Network settings] in the Docker run reference. - // // [Task Networking]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html - // [Network settings]: https://docs.docker.com/engine/reference/run/#network-settings + // [NetworkConfiguration]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_NetworkConfiguration.html NetworkMode NetworkMode // The process namespace to use for the containers in the task. The valid values @@ -4852,20 +4714,16 @@ type TaskDefinition struct { // If task is specified, all containers within the specified task share the same // process namespace. // - // If no value is specified, the default is a private namespace for each - // container. For more information, see [PID settings]in the Docker run reference. + // If no value is specified, the default is a private namespace for each container. // // If the host PID mode is used, there's a heightened risk of undesired process - // namespace exposure. For more information, see [Docker security]. + // namespace exposure. // // This parameter is not supported for Windows containers. // // This parameter is only supported for tasks that are hosted on Fargate if the // tasks are using platform version 1.4.0 or later (Linux). This isn't supported // for Windows containers on Fargate. - // - // [PID settings]: https://docs.docker.com/engine/reference/run/#pid-settings---pid - // [Docker security]: https://docs.docker.com/engine/security/security/ PidMode PidMode // An array of placement constraint objects to use for tasks. @@ -4933,16 +4791,10 @@ type TaskDefinition struct { // The short name or full Amazon Resource Name (ARN) of the Identity and Access // Management role that grants containers in the task permission to call Amazon Web - // Services APIs on your behalf. For more information, see [Amazon ECS Task Role]in the Amazon Elastic - // Container Service Developer Guide. - // - // IAM roles for tasks on Windows require that the -EnableTaskIAMRole option is - // set when you launch the Amazon ECS-optimized Windows AMI. Your containers must - // also run some configuration code to use the feature. For more information, see [Windows IAM roles for tasks] - // in the Amazon Elastic Container Service Developer Guide. + // Services APIs on your behalf. For informationabout the required IAM roles for + // Amazon ECS, see [IAM roles for Amazon ECS]in the Amazon Elastic Container Service Developer Guide. // - // [Windows IAM roles for tasks]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/windows_task_IAM_roles.html - // [Amazon ECS Task Role]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html + // [IAM roles for Amazon ECS]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-ecs-iam-role-overview.html TaskRoleArn *string // The list of data volume definitions for the task. For more information, see [Using data volumes in tasks] in @@ -5428,7 +5280,7 @@ type Tmpfs struct { // the operating system with the exception of the nofile resource limit parameter // which Fargate overrides. The nofile resource limit sets a restriction on the // number of open files that a container can use. The default nofile soft limit is -// 1024 and the default hard limit is 65535 . +// 65535 and the default hard limit is 65535 . // // You can specify the ulimit settings for a container in a task definition. type Ulimit struct { diff --git a/service/ecs/validators.go b/service/ecs/validators.go index 8e5c592cc1e..dbe5aa2adda 100644 --- a/service/ecs/validators.go +++ b/service/ecs/validators.go @@ -1244,6 +1244,11 @@ func validateContainerDefinition(v *types.ContainerDefinition) error { invalidParams.AddNested("RepositoryCredentials", err.(smithy.InvalidParamsError)) } } + if v.RestartPolicy != nil { + if err := validateContainerRestartPolicy(v.RestartPolicy); err != nil { + invalidParams.AddNested("RestartPolicy", err.(smithy.InvalidParamsError)) + } + } if v.EnvironmentFiles != nil { if err := validateEnvironmentFiles(v.EnvironmentFiles); err != nil { invalidParams.AddNested("EnvironmentFiles", err.(smithy.InvalidParamsError)) @@ -1392,6 +1397,21 @@ func validateContainerOverrides(v []types.ContainerOverride) error { } } +func validateContainerRestartPolicy(v *types.ContainerRestartPolicy) error { + if v == nil { + return nil + } + invalidParams := smithy.InvalidParamsError{Context: "ContainerRestartPolicy"} + if v.Enabled == nil { + invalidParams.Add(smithy.NewErrParamRequired("Enabled")) + } + if invalidParams.Len() > 0 { + return invalidParams + } else { + return nil + } +} + func validateDeploymentAlarms(v *types.DeploymentAlarms) error { if v == nil { return nil diff --git a/service/iam/api_op_CreateOpenIDConnectProvider.go b/service/iam/api_op_CreateOpenIDConnectProvider.go index 59f9a148110..500f15b16f4 100644 --- a/service/iam/api_op_CreateOpenIDConnectProvider.go +++ b/service/iam/api_op_CreateOpenIDConnectProvider.go @@ -37,13 +37,11 @@ import ( // You get all of this information from the OIDC IdP you want to use to access // Amazon Web Services. // -// Amazon Web Services secures communication with some OIDC identity providers -// (IdPs) through our library of trusted root certificate authorities (CAs) instead -// of using a certificate thumbprint to verify your IdP server certificate. In -// these cases, your legacy thumbprint remains in your configuration, but is no -// longer used for validation. These OIDC IdPs include Auth0, GitHub, GitLab, -// Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) -// endpoint. +// Amazon Web Services secures communication with OIDC identity providers (IdPs) +// using our library of trusted root certificate authorities (CAs) to verify the +// JSON Web Key Set (JWKS) endpoint's TLS certificate. If your OIDC IdP relies on a +// certificate that is not signed by one of these trusted CAs, only then we secure +// communication using the thumbprints set in the IdP's configuration. // // The trust for the OIDC provider is derived from the IAM provider that this // operation creates. Therefore, it is best to limit access to the CreateOpenIDConnectProvideroperation to diff --git a/service/iam/api_op_ListAccountAliases.go b/service/iam/api_op_ListAccountAliases.go index af5c0d42106..52f2855fef8 100644 --- a/service/iam/api_op_ListAccountAliases.go +++ b/service/iam/api_op_ListAccountAliases.go @@ -12,9 +12,9 @@ import ( // Lists the account alias associated with the Amazon Web Services account (Note: // you can have only one). For information about using an Amazon Web Services -// account alias, see [Creating, deleting, and listing an Amazon Web Services account alias]in the Amazon Web Services Sign-In User Guide. +// account alias, see [Creating, deleting, and listing an Amazon Web Services account alias]in the IAM User Guide. // -// [Creating, deleting, and listing an Amazon Web Services account alias]: https://docs.aws.amazon.com/signin/latest/userguide/CreateAccountAlias.html +// [Creating, deleting, and listing an Amazon Web Services account alias]: https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html#CreateAccountAlias func (c *Client) ListAccountAliases(ctx context.Context, params *ListAccountAliasesInput, optFns ...func(*Options)) (*ListAccountAliasesOutput, error) { if params == nil { params = &ListAccountAliasesInput{} diff --git a/service/iam/api_op_UpdateOpenIDConnectProviderThumbprint.go b/service/iam/api_op_UpdateOpenIDConnectProviderThumbprint.go index 2b34f750ff6..d4c8aa627ca 100644 --- a/service/iam/api_op_UpdateOpenIDConnectProviderThumbprint.go +++ b/service/iam/api_op_UpdateOpenIDConnectProviderThumbprint.go @@ -21,13 +21,11 @@ import ( // does change, any attempt to assume an IAM role that specifies the OIDC provider // as a principal fails until the certificate thumbprint is updated. // -// Amazon Web Services secures communication with some OIDC identity providers -// (IdPs) through our library of trusted root certificate authorities (CAs) instead -// of using a certificate thumbprint to verify your IdP server certificate. In -// these cases, your legacy thumbprint remains in your configuration, but is no -// longer used for validation. These OIDC IdPs include Auth0, GitHub, GitLab, -// Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) -// endpoint. +// Amazon Web Services secures communication with OIDC identity providers (IdPs) +// using our library of trusted root certificate authorities (CAs) to verify the +// JSON Web Key Set (JWKS) endpoint's TLS certificate. If your OIDC IdP relies on a +// certificate that is not signed by one of these trusted CAs, only then we secure +// communication using the thumbprints set in the IdP's configuration. // // Trust for the OIDC provider is derived from the provider certificate and is // validated by the thumbprint. Therefore, it is best to limit access to the diff --git a/service/iam/types/types.go b/service/iam/types/types.go index a3f8b4ec4cc..e3798d8857b 100644 --- a/service/iam/types/types.go +++ b/service/iam/types/types.go @@ -113,21 +113,6 @@ type AccessKey struct { // This data type is used as a response element in the GetAccessKeyLastUsed operation. type AccessKeyLastUsed struct { - // The date and time, in [ISO 8601 date-time format], when the access key was most recently used. This field - // is null in the following situations: - // - // - The user does not have an access key. - // - // - An access key exists but has not been used since IAM began tracking this - // information. - // - // - There is no sign-in data associated with the user. - // - // [ISO 8601 date-time format]: http://www.iso.org/iso/iso8601 - // - // This member is required. - LastUsedDate *time.Time - // The Amazon Web Services Region where this access key was most recently used. // The value for this field is "N/A" in the following situations: // @@ -159,6 +144,19 @@ type AccessKeyLastUsed struct { // This member is required. ServiceName *string + // The date and time, in [ISO 8601 date-time format], when the access key was most recently used. This field + // is null in the following situations: + // + // - The user does not have an access key. + // + // - An access key exists but has not been used since IAM began tracking this + // information. + // + // - There is no sign-in data associated with the user. + // + // [ISO 8601 date-time format]: http://www.iso.org/iso/iso8601 + LastUsedDate *time.Time + noSmithyDocumentSerde } diff --git a/service/kinesisanalytics/internal/endpoints/endpoints.go b/service/kinesisanalytics/internal/endpoints/endpoints.go index 532b7364d77..016ce55f7c3 100644 --- a/service/kinesisanalytics/internal/endpoints/endpoints.go +++ b/service/kinesisanalytics/internal/endpoints/endpoints.go @@ -175,9 +175,21 @@ var defaultPartitions = endpoints.Partitions{ endpoints.EndpointKey{ Region: "ca-central-1", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "ca-central-1", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.ca-central-1.amazonaws.com", + }, endpoints.EndpointKey{ Region: "ca-west-1", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "ca-west-1", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.ca-west-1.amazonaws.com", + }, endpoints.EndpointKey{ Region: "eu-central-1", }: endpoints.Endpoint{}, @@ -202,6 +214,60 @@ var defaultPartitions = endpoints.Partitions{ endpoints.EndpointKey{ Region: "eu-west-3", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "fips-ca-central-1", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.ca-central-1.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "ca-central-1", + }, + Deprecated: aws.TrueTernary, + }, + endpoints.EndpointKey{ + Region: "fips-ca-west-1", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.ca-west-1.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "ca-west-1", + }, + Deprecated: aws.TrueTernary, + }, + endpoints.EndpointKey{ + Region: "fips-us-east-1", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.us-east-1.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "us-east-1", + }, + Deprecated: aws.TrueTernary, + }, + endpoints.EndpointKey{ + Region: "fips-us-east-2", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.us-east-2.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "us-east-2", + }, + Deprecated: aws.TrueTernary, + }, + endpoints.EndpointKey{ + Region: "fips-us-west-1", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.us-west-1.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "us-west-1", + }, + Deprecated: aws.TrueTernary, + }, + endpoints.EndpointKey{ + Region: "fips-us-west-2", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.us-west-2.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "us-west-2", + }, + Deprecated: aws.TrueTernary, + }, endpoints.EndpointKey{ Region: "il-central-1", }: endpoints.Endpoint{}, @@ -217,15 +283,39 @@ var defaultPartitions = endpoints.Partitions{ endpoints.EndpointKey{ Region: "us-east-1", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "us-east-1", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.us-east-1.amazonaws.com", + }, endpoints.EndpointKey{ Region: "us-east-2", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "us-east-2", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.us-east-2.amazonaws.com", + }, endpoints.EndpointKey{ Region: "us-west-1", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "us-west-1", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.us-west-1.amazonaws.com", + }, endpoints.EndpointKey{ Region: "us-west-2", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "us-west-2", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.us-west-2.amazonaws.com", + }, }, }, { @@ -390,12 +480,42 @@ var defaultPartitions = endpoints.Partitions{ RegionRegex: partitionRegexp.AwsUsGov, IsRegionalized: true, Endpoints: endpoints.Endpoints{ + endpoints.EndpointKey{ + Region: "fips-us-gov-east-1", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.us-gov-east-1.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "us-gov-east-1", + }, + Deprecated: aws.TrueTernary, + }, + endpoints.EndpointKey{ + Region: "fips-us-gov-west-1", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.us-gov-west-1.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "us-gov-west-1", + }, + Deprecated: aws.TrueTernary, + }, endpoints.EndpointKey{ Region: "us-gov-east-1", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "us-gov-east-1", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.us-gov-east-1.amazonaws.com", + }, endpoints.EndpointKey{ Region: "us-gov-west-1", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "us-gov-west-1", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.us-gov-west-1.amazonaws.com", + }, }, }, } diff --git a/service/kinesisanalyticsv2/internal/endpoints/endpoints.go b/service/kinesisanalyticsv2/internal/endpoints/endpoints.go index f5ceff5f73c..1c6f19181b0 100644 --- a/service/kinesisanalyticsv2/internal/endpoints/endpoints.go +++ b/service/kinesisanalyticsv2/internal/endpoints/endpoints.go @@ -175,9 +175,21 @@ var defaultPartitions = endpoints.Partitions{ endpoints.EndpointKey{ Region: "ca-central-1", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "ca-central-1", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.ca-central-1.amazonaws.com", + }, endpoints.EndpointKey{ Region: "ca-west-1", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "ca-west-1", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.ca-west-1.amazonaws.com", + }, endpoints.EndpointKey{ Region: "eu-central-1", }: endpoints.Endpoint{}, @@ -202,6 +214,60 @@ var defaultPartitions = endpoints.Partitions{ endpoints.EndpointKey{ Region: "eu-west-3", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "fips-ca-central-1", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.ca-central-1.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "ca-central-1", + }, + Deprecated: aws.TrueTernary, + }, + endpoints.EndpointKey{ + Region: "fips-ca-west-1", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.ca-west-1.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "ca-west-1", + }, + Deprecated: aws.TrueTernary, + }, + endpoints.EndpointKey{ + Region: "fips-us-east-1", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.us-east-1.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "us-east-1", + }, + Deprecated: aws.TrueTernary, + }, + endpoints.EndpointKey{ + Region: "fips-us-east-2", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.us-east-2.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "us-east-2", + }, + Deprecated: aws.TrueTernary, + }, + endpoints.EndpointKey{ + Region: "fips-us-west-1", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.us-west-1.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "us-west-1", + }, + Deprecated: aws.TrueTernary, + }, + endpoints.EndpointKey{ + Region: "fips-us-west-2", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.us-west-2.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "us-west-2", + }, + Deprecated: aws.TrueTernary, + }, endpoints.EndpointKey{ Region: "il-central-1", }: endpoints.Endpoint{}, @@ -217,15 +283,39 @@ var defaultPartitions = endpoints.Partitions{ endpoints.EndpointKey{ Region: "us-east-1", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "us-east-1", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.us-east-1.amazonaws.com", + }, endpoints.EndpointKey{ Region: "us-east-2", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "us-east-2", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.us-east-2.amazonaws.com", + }, endpoints.EndpointKey{ Region: "us-west-1", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "us-west-1", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.us-west-1.amazonaws.com", + }, endpoints.EndpointKey{ Region: "us-west-2", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "us-west-2", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.us-west-2.amazonaws.com", + }, }, }, { @@ -390,12 +480,42 @@ var defaultPartitions = endpoints.Partitions{ RegionRegex: partitionRegexp.AwsUsGov, IsRegionalized: true, Endpoints: endpoints.Endpoints{ + endpoints.EndpointKey{ + Region: "fips-us-gov-east-1", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.us-gov-east-1.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "us-gov-east-1", + }, + Deprecated: aws.TrueTernary, + }, + endpoints.EndpointKey{ + Region: "fips-us-gov-west-1", + }: endpoints.Endpoint{ + Hostname: "kinesisanalytics-fips.us-gov-west-1.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "us-gov-west-1", + }, + Deprecated: aws.TrueTernary, + }, endpoints.EndpointKey{ Region: "us-gov-east-1", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "us-gov-east-1", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.us-gov-east-1.amazonaws.com", + }, endpoints.EndpointKey{ Region: "us-gov-west-1", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "us-gov-west-1", + Variant: endpoints.FIPSVariant, + }: { + Hostname: "kinesisanalytics-fips.us-gov-west-1.amazonaws.com", + }, }, }, } diff --git a/service/s3/api_op_AbortMultipartUpload.go b/service/s3/api_op_AbortMultipartUpload.go index 00e395efb62..659ab8a7166 100644 --- a/service/s3/api_op_AbortMultipartUpload.go +++ b/service/s3/api_op_AbortMultipartUpload.go @@ -24,12 +24,19 @@ import ( // part storage, you should call the [ListParts]API operation and ensure that the parts list // is empty. // -// Directory buckets - For directory buckets, you must make requests for this API -// operation to the Zonal endpoint. These endpoints support virtual-hosted-style -// requests in the format -// https://bucket_name.s3express-az_id.region.amazonaws.com/key-name . Path-style -// requests are not supported. For more information, see [Regional and Zonal endpoints]in the Amazon S3 User -// Guide. +// - Directory buckets - If multipart uploads in a directory bucket are in +// progress, you can't delete the bucket until all the in-progress multipart +// uploads are aborted or completed. To delete these in-progress multipart uploads, +// use the ListMultipartUploads operation to list the in-progress multipart +// uploads in the bucket and use the AbortMultupartUpload operation to abort all +// the in-progress multipart uploads. +// +// - Directory buckets - For directory buckets, you must make requests for this +// API operation to the Zonal endpoint. These endpoints support +// virtual-hosted-style requests in the format +// https://bucket_name.s3express-az_id.region.amazonaws.com/key-name . +// Path-style requests are not supported. For more information, see [Regional and Zonal endpoints]in the +// Amazon S3 User Guide. // // Permissions // diff --git a/service/s3/api_op_CopyObject.go b/service/s3/api_op_CopyObject.go index 5f8275ca650..5403315af16 100644 --- a/service/s3/api_op_CopyObject.go +++ b/service/s3/api_op_CopyObject.go @@ -25,12 +25,19 @@ import ( // You can copy individual objects between general purpose buckets, between // directory buckets, and between general purpose buckets and directory buckets. // -// Directory buckets - For directory buckets, you must make requests for this API -// operation to the Zonal endpoint. These endpoints support virtual-hosted-style -// requests in the format -// https://bucket_name.s3express-az_id.region.amazonaws.com/key-name . Path-style -// requests are not supported. For more information, see [Regional and Zonal endpoints]in the Amazon S3 User -// Guide. +// - Amazon S3 supports copy operations using Multi-Region Access Points only as +// a destination when using the Multi-Region Access Point ARN. +// +// - Directory buckets - For directory buckets, you must make requests for this +// API operation to the Zonal endpoint. These endpoints support +// virtual-hosted-style requests in the format +// https://bucket_name.s3express-az_id.region.amazonaws.com/key-name . +// Path-style requests are not supported. For more information, see [Regional and Zonal endpoints]in the +// Amazon S3 User Guide. +// +// - VPC endpoints don't support cross-Region requests (including copies). If +// you're using VPC endpoints, your source and destination buckets should be in the +// same Amazon Web Services Region as your VPC endpoint. // // Both the Region that you want to copy the object from and the Region that you // want to copy the object to must be enabled for your account. For more diff --git a/service/s3/api_op_HeadBucket.go b/service/s3/api_op_HeadBucket.go index e53d4f4d041..81a19528578 100644 --- a/service/s3/api_op_HeadBucket.go +++ b/service/s3/api_op_HeadBucket.go @@ -26,17 +26,14 @@ import ( // code. A message body is not included, so you cannot determine the exception // beyond these HTTP response codes. // -// Directory buckets - You must make requests for this API operation to the Zonal -// endpoint. These endpoints support virtual-hosted-style requests in the format -// https://bucket_name.s3express-az_id.region.amazonaws.com . Path-style requests -// are not supported. For more information, see [Regional and Zonal endpoints]in the Amazon S3 User Guide. +// Authentication and authorization General purpose buckets - Request to public +// buckets that grant the s3:ListBucket permission publicly do not need to be +// signed. All other HeadBucket requests must be authenticated and signed by using +// IAM credentials (access key ID and secret access key for the IAM identities). +// All headers with the x-amz- prefix, including x-amz-copy-source , must be +// signed. For more information, see [REST Authentication]. // -// Authentication and authorization All HeadBucket requests must be authenticated -// and signed by using IAM credentials (access key ID and secret access key for the -// IAM identities). All headers with the x-amz- prefix, including x-amz-copy-source -// , must be signed. For more information, see [REST Authentication]. -// -// Directory bucket - You must use IAM credentials to authenticate and authorize +// Directory buckets - You must use IAM credentials to authenticate and authorize // your access to the HeadBucket API operation, instead of using the temporary // security credentials through the CreateSession API operation. // @@ -62,6 +59,11 @@ import ( // HTTP Host header syntax Directory buckets - The HTTP Host header syntax is // Bucket_name.s3express-az_id.region.amazonaws.com . // +// You must make requests for this API operation to the Zonal endpoint. These +// endpoints support virtual-hosted-style requests in the format +// https://bucket_name.s3express-az_id.region.amazonaws.com . Path-style requests +// are not supported. For more information, see [Regional and Zonal endpoints]in the Amazon S3 User Guide. +// // [Amazon Web Services Identity and Access Management (IAM) identity-based policies for S3 Express One Zone]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html // [REST Authentication]: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html // [Example bucket policies for S3 Express One Zone]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html @@ -146,7 +148,7 @@ type HeadBucketOutput struct { // Indicates whether the bucket name used in the request is an access point alias. // - // This functionality is not supported for directory buckets. + // For directory buckets, the value of this field is false . AccessPointAlias *bool // The name of the location where the bucket will be created. @@ -163,8 +165,6 @@ type HeadBucketOutput struct { BucketLocationType types.LocationType // The Region that the bucket is located. - // - // This functionality is not supported for directory buckets. BucketRegion *string // Metadata pertaining to the operation's result. diff --git a/service/s3/api_op_HeadObject.go b/service/s3/api_op_HeadObject.go index 064734cab2e..d2cd50c7eee 100644 --- a/service/s3/api_op_HeadObject.go +++ b/service/s3/api_op_HeadObject.go @@ -30,13 +30,6 @@ import ( // // Request headers are limited to 8 KB in size. For more information, see [Common Request Headers]. // -// Directory buckets - For directory buckets, you must make requests for this API -// operation to the Zonal endpoint. These endpoints support virtual-hosted-style -// requests in the format -// https://bucket_name.s3express-az_id.region.amazonaws.com/key-name . Path-style -// requests are not supported. For more information, see [Regional and Zonal endpoints]in the Amazon S3 User -// Guide. -// // Permissions // // - General purpose bucket permissions - To use HEAD , you must have the @@ -113,6 +106,12 @@ import ( // HTTP Host header syntax Directory buckets - The HTTP Host header syntax is // Bucket_name.s3express-az_id.region.amazonaws.com . // +// For directory buckets, you must make requests for this API operation to the +// Zonal endpoint. These endpoints support virtual-hosted-style requests in the +// format https://bucket_name.s3express-az_id.region.amazonaws.com/key-name . +// Path-style requests are not supported. For more information, see [Regional and Zonal endpoints]in the Amazon +// S3 User Guide. +// // The following actions are related to HeadObject : // // [GetObject] diff --git a/service/s3/api_op_ListBuckets.go b/service/s3/api_op_ListBuckets.go index 8d2f98a8c00..b047b239c7e 100644 --- a/service/s3/api_op_ListBuckets.go +++ b/service/s3/api_op_ListBuckets.go @@ -37,6 +37,21 @@ func (c *Client) ListBuckets(ctx context.Context, params *ListBucketsInput, optF } type ListBucketsInput struct { + + // ContinuationToken indicates to Amazon S3 that the list is being continued on + // this bucket with a token. ContinuationToken is obfuscated and is not a real + // key. You can use this ContinuationToken for pagination of the list results. + // + // Length Constraints: Minimum length of 0. Maximum length of 1024. + // + // Required: No. + ContinuationToken *string + + // Maximum number of buckets to be returned in response. When the number is more + // than the count of buckets that are owned by an Amazon Web Services account, + // return all the buckets in response. + MaxBuckets *int32 + noSmithyDocumentSerde } @@ -45,6 +60,12 @@ type ListBucketsOutput struct { // The list of buckets owned by the requester. Buckets []types.Bucket + // ContinuationToken is included in the response when there are more buckets that + // can be listed with pagination. The next ListBuckets request to Amazon S3 can be + // continued with this ContinuationToken . ContinuationToken is obfuscated and is + // not a real bucket. + ContinuationToken *string + // The owner of the buckets listed. Owner *types.Owner @@ -154,6 +175,100 @@ func (c *Client) addOperationListBucketsMiddlewares(stack *middleware.Stack, opt return nil } +// ListBucketsPaginatorOptions is the paginator options for ListBuckets +type ListBucketsPaginatorOptions struct { + // Maximum number of buckets to be returned in response. When the number is more + // than the count of buckets that are owned by an Amazon Web Services account, + // return all the buckets in response. + Limit int32 + + // Set to true if pagination should stop if the service returns a pagination token + // that matches the most recent token provided to the service. + StopOnDuplicateToken bool +} + +// ListBucketsPaginator is a paginator for ListBuckets +type ListBucketsPaginator struct { + options ListBucketsPaginatorOptions + client ListBucketsAPIClient + params *ListBucketsInput + nextToken *string + firstPage bool +} + +// NewListBucketsPaginator returns a new ListBucketsPaginator +func NewListBucketsPaginator(client ListBucketsAPIClient, params *ListBucketsInput, optFns ...func(*ListBucketsPaginatorOptions)) *ListBucketsPaginator { + if params == nil { + params = &ListBucketsInput{} + } + + options := ListBucketsPaginatorOptions{} + if params.MaxBuckets != nil { + options.Limit = *params.MaxBuckets + } + + for _, fn := range optFns { + fn(&options) + } + + return &ListBucketsPaginator{ + options: options, + client: client, + params: params, + firstPage: true, + nextToken: params.ContinuationToken, + } +} + +// HasMorePages returns a boolean indicating whether more pages are available +func (p *ListBucketsPaginator) HasMorePages() bool { + return p.firstPage || (p.nextToken != nil && len(*p.nextToken) != 0) +} + +// NextPage retrieves the next ListBuckets page. +func (p *ListBucketsPaginator) NextPage(ctx context.Context, optFns ...func(*Options)) (*ListBucketsOutput, error) { + if !p.HasMorePages() { + return nil, fmt.Errorf("no more pages available") + } + + params := *p.params + params.ContinuationToken = p.nextToken + + var limit *int32 + if p.options.Limit > 0 { + limit = &p.options.Limit + } + params.MaxBuckets = limit + + optFns = append([]func(*Options){ + addIsPaginatorUserAgent, + }, optFns...) + result, err := p.client.ListBuckets(ctx, ¶ms, optFns...) + if err != nil { + return nil, err + } + p.firstPage = false + + prevToken := p.nextToken + p.nextToken = result.ContinuationToken + + if p.options.StopOnDuplicateToken && + prevToken != nil && + p.nextToken != nil && + *prevToken == *p.nextToken { + p.nextToken = nil + } + + return result, nil +} + +// ListBucketsAPIClient is a client that implements the ListBuckets operation. +type ListBucketsAPIClient interface { + ListBuckets(context.Context, *ListBucketsInput, ...func(*Options)) (*ListBucketsOutput, error) +} + +var _ ListBucketsAPIClient = (*Client)(nil) + func newServiceMetadataMiddleware_opListBuckets(region string) *awsmiddleware.RegisterServiceMetadata { return &awsmiddleware.RegisterServiceMetadata{ Region: region, diff --git a/service/s3/api_op_ListDirectoryBuckets.go b/service/s3/api_op_ListDirectoryBuckets.go index 5fdf9e6c7a2..8fccf32bc1a 100644 --- a/service/s3/api_op_ListDirectoryBuckets.go +++ b/service/s3/api_op_ListDirectoryBuckets.go @@ -54,8 +54,9 @@ func (c *Client) ListDirectoryBuckets(ctx context.Context, params *ListDirectory type ListDirectoryBucketsInput struct { // ContinuationToken indicates to Amazon S3 that the list is being continued on - // this bucket with a token. ContinuationToken is obfuscated and is not a real - // key. You can use this ContinuationToken for pagination of the list results. + // buckets in this account with a token. ContinuationToken is obfuscated and is + // not a real bucket name. You can use this ContinuationToken for the pagination + // of the list results. ContinuationToken *string // Maximum number of buckets to be returned in response. When the number is more diff --git a/service/s3/api_op_ListMultipartUploads.go b/service/s3/api_op_ListMultipartUploads.go index 60f9e130687..e84fae68ac0 100644 --- a/service/s3/api_op_ListMultipartUploads.go +++ b/service/s3/api_op_ListMultipartUploads.go @@ -19,7 +19,10 @@ import ( // // Directory buckets - If multipart uploads in a directory bucket are in progress, // you can't delete the bucket until all the in-progress multipart uploads are -// aborted or completed. +// aborted or completed. To delete these in-progress multipart uploads, use the +// ListMultipartUploads operation to list the in-progress multipart uploads in the +// bucket and use the AbortMultupartUpload operation to abort all the in-progress +// multipart uploads. // // The ListMultipartUploads operation returns a maximum of 1,000 multipart uploads // in the response. The limit of 1,000 multipart uploads is also the default value. @@ -169,12 +172,20 @@ type ListMultipartUploadsInput struct { // Directory buckets - For directory buckets, / is the only supported delimiter. Delimiter *string - // Requests Amazon S3 to encode the object keys in the response and specifies the - // encoding method to use. An object key can contain any Unicode character; - // however, the XML 1.0 parser cannot parse some characters, such as characters - // with an ASCII value from 0 to 10. For characters that are not supported in XML - // 1.0, you can add this parameter to request that Amazon S3 encode the keys in the - // response. + // Encoding type used by Amazon S3 to encode the [object keys] in the response. Responses are + // encoded only in UTF-8. An object key can contain any Unicode character. However, + // the XML 1.0 parser can't parse certain characters, such as characters with an + // ASCII value from 0 to 10. For characters that aren't supported in XML 1.0, you + // can add this parameter to request that Amazon S3 encode the keys in the + // response. For more information about characters to avoid in object key names, + // see [Object key naming guidelines]. + // + // When using the URL encoding type, non-ASCII characters that are used in an + // object's key name will be percent-encoded according to UTF-8 code values. For + // example, the object test_file(3).png will appear as test_file%283%29.png . + // + // [Object key naming guidelines]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines + // [object keys]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html EncodingType types.EncodingType // The account ID of the expected bucket owner. If the account ID that you provide diff --git a/service/s3/api_op_ListObjectVersions.go b/service/s3/api_op_ListObjectVersions.go index 2f7cc8d2c93..4e1b840ce0b 100644 --- a/service/s3/api_op_ListObjectVersions.go +++ b/service/s3/api_op_ListObjectVersions.go @@ -70,12 +70,20 @@ type ListObjectVersionsInput struct { // are not returned elsewhere in the response. Delimiter *string - // Requests Amazon S3 to encode the object keys in the response and specifies the - // encoding method to use. An object key can contain any Unicode character; - // however, the XML 1.0 parser cannot parse some characters, such as characters - // with an ASCII value from 0 to 10. For characters that are not supported in XML - // 1.0, you can add this parameter to request that Amazon S3 encode the keys in the - // response. + // Encoding type used by Amazon S3 to encode the [object keys] in the response. Responses are + // encoded only in UTF-8. An object key can contain any Unicode character. However, + // the XML 1.0 parser can't parse certain characters, such as characters with an + // ASCII value from 0 to 10. For characters that aren't supported in XML 1.0, you + // can add this parameter to request that Amazon S3 encode the keys in the + // response. For more information about characters to avoid in object key names, + // see [Object key naming guidelines]. + // + // When using the URL encoding type, non-ASCII characters that are used in an + // object's key name will be percent-encoded according to UTF-8 code values. For + // example, the object test_file(3).png will appear as test_file%283%29.png . + // + // [Object key naming guidelines]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines + // [object keys]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html EncodingType types.EncodingType // The account ID of the expected bucket owner. If the account ID that you provide diff --git a/service/s3/api_op_ListObjects.go b/service/s3/api_op_ListObjects.go index 3ad2ff82505..599f2cad35e 100644 --- a/service/s3/api_op_ListObjects.go +++ b/service/s3/api_op_ListObjects.go @@ -99,12 +99,20 @@ type ListObjectsInput struct { // A delimiter is a character that you use to group keys. Delimiter *string - // Requests Amazon S3 to encode the object keys in the response and specifies the - // encoding method to use. An object key can contain any Unicode character; - // however, the XML 1.0 parser cannot parse some characters, such as characters - // with an ASCII value from 0 to 10. For characters that are not supported in XML - // 1.0, you can add this parameter to request that Amazon S3 encode the keys in the - // response. + // Encoding type used by Amazon S3 to encode the [object keys] in the response. Responses are + // encoded only in UTF-8. An object key can contain any Unicode character. However, + // the XML 1.0 parser can't parse certain characters, such as characters with an + // ASCII value from 0 to 10. For characters that aren't supported in XML 1.0, you + // can add this parameter to request that Amazon S3 encode the keys in the + // response. For more information about characters to avoid in object key names, + // see [Object key naming guidelines]. + // + // When using the URL encoding type, non-ASCII characters that are used in an + // object's key name will be percent-encoded according to UTF-8 code values. For + // example, the object test_file(3).png will appear as test_file%283%29.png . + // + // [Object key naming guidelines]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines + // [object keys]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html EncodingType types.EncodingType // The account ID of the expected bucket owner. If the account ID that you provide @@ -172,9 +180,20 @@ type ListObjectsOutput struct { // MaxKeys value. Delimiter *string - // Encoding type used by Amazon S3 to encode object keys in the response. If using - // url , non-ASCII characters used in an object's key name will be URL encoded. For + // Encoding type used by Amazon S3 to encode the [object keys] in the response. Responses are + // encoded only in UTF-8. An object key can contain any Unicode character. However, + // the XML 1.0 parser can't parse certain characters, such as characters with an + // ASCII value from 0 to 10. For characters that aren't supported in XML 1.0, you + // can add this parameter to request that Amazon S3 encode the keys in the + // response. For more information about characters to avoid in object key names, + // see [Object key naming guidelines]. + // + // When using the URL encoding type, non-ASCII characters that are used in an + // object's key name will be percent-encoded according to UTF-8 code values. For // example, the object test_file(3).png will appear as test_file%283%29.png . + // + // [Object key naming guidelines]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines + // [object keys]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html EncodingType types.EncodingType // A flag that indicates whether Amazon S3 returned all of the results that diff --git a/service/s3/api_op_ListObjectsV2.go b/service/s3/api_op_ListObjectsV2.go index 90449736195..e3af9b0bffa 100644 --- a/service/s3/api_op_ListObjectsV2.go +++ b/service/s3/api_op_ListObjectsV2.go @@ -22,12 +22,18 @@ import ( // For more information about listing objects, see [Listing object keys programmatically] in the Amazon S3 User Guide. // To get a list of your buckets, see [ListBuckets]. // -// Directory buckets - For directory buckets, you must make requests for this API -// operation to the Zonal endpoint. These endpoints support virtual-hosted-style -// requests in the format -// https://bucket_name.s3express-az_id.region.amazonaws.com/key-name . Path-style -// requests are not supported. For more information, see [Regional and Zonal endpoints]in the Amazon S3 User -// Guide. +// - General purpose bucket - For general purpose buckets, ListObjectsV2 doesn't +// return prefixes that are related only to in-progress multipart uploads. +// +// - Directory buckets - For directory buckets, ListObjectsV2 response includes +// the prefixes that are related only to in-progress multipart uploads. +// +// - Directory buckets - For directory buckets, you must make requests for this +// API operation to the Zonal endpoint. These endpoints support +// virtual-hosted-style requests in the format +// https://bucket_name.s3express-az_id.region.amazonaws.com/key-name . +// Path-style requests are not supported. For more information, see [Regional and Zonal endpoints]in the +// Amazon S3 User Guide. // // Permissions // @@ -152,9 +158,20 @@ type ListObjectsV2Input struct { // [Multipart Upload Overview]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html Delimiter *string - // Encoding type used by Amazon S3 to encode object keys in the response. If using - // url , non-ASCII characters used in an object's key name will be URL encoded. For + // Encoding type used by Amazon S3 to encode the [object keys] in the response. Responses are + // encoded only in UTF-8. An object key can contain any Unicode character. However, + // the XML 1.0 parser can't parse certain characters, such as characters with an + // ASCII value from 0 to 10. For characters that aren't supported in XML 1.0, you + // can add this parameter to request that Amazon S3 encode the keys in the + // response. For more information about characters to avoid in object key names, + // see [Object key naming guidelines]. + // + // When using the URL encoding type, non-ASCII characters that are used in an + // object's key name will be percent-encoded according to UTF-8 code values. For // example, the object test_file(3).png will appear as test_file%283%29.png . + // + // [Object key naming guidelines]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines + // [object keys]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html EncodingType types.EncodingType // The account ID of the expected bucket owner. If the account ID that you provide diff --git a/service/s3/api_op_PutBucketEncryption.go b/service/s3/api_op_PutBucketEncryption.go index 187e73f2484..bcf0d440961 100644 --- a/service/s3/api_op_PutBucketEncryption.go +++ b/service/s3/api_op_PutBucketEncryption.go @@ -29,7 +29,13 @@ import ( // set your [default bucket encryption]to SSE-KMS, you should verify that your KMS key ID is correct. Amazon // S3 does not validate the KMS key ID provided in PutBucketEncryption requests. // -// This action requires Amazon Web Services Signature Version 4. For more +// If you're specifying a customer managed KMS key, we recommend using a fully +// qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the +// key within the requester’s account. This behavior can result in data that's +// encrypted with a KMS key that belongs to the requester, and not the bucket +// owner. +// +// Also, this action requires Amazon Web Services Signature Version 4. For more // information, see [Authenticating Requests (Amazon Web Services Signature Version 4)]. // // To use this operation, you must have permission to perform the diff --git a/service/s3/api_op_PutBucketVersioning.go b/service/s3/api_op_PutBucketVersioning.go index 25b038ecf33..fefdc109d63 100644 --- a/service/s3/api_op_PutBucketVersioning.go +++ b/service/s3/api_op_PutBucketVersioning.go @@ -17,6 +17,11 @@ import ( // This operation is not supported by directory buckets. // +// When you enable versioning on a bucket for the first time, it might take a +// short amount of time for the change to be fully propagated. We recommend that +// you wait for 15 minutes after enabling versioning before issuing write +// operations ( PUT or DELETE ) on objects in the bucket. +// // Sets the versioning state of an existing bucket. // // You can set the versioning state with one of the following values: diff --git a/service/s3/deserializers.go b/service/s3/deserializers.go index d953cdc1cab..62972c320fe 100644 --- a/service/s3/deserializers.go +++ b/service/s3/deserializers.go @@ -8113,6 +8113,19 @@ func awsRestxml_deserializeOpDocumentListBucketsOutput(v **ListBucketsOutput, de return err } + case strings.EqualFold("ContinuationToken", t.Name.Local): + val, err := decoder.Value() + if err != nil { + return err + } + if val == nil { + break + } + { + xtv := string(val) + sv.ContinuationToken = ptr.String(xtv) + } + case strings.EqualFold("Owner", t.Name.Local): nodeDecoder := smithyxml.WrapNodeDecoder(decoder.Decoder, t) if err := awsRestxml_deserializeDocumentOwner(&sv.Owner, nodeDecoder); err != nil { diff --git a/service/s3/serializers.go b/service/s3/serializers.go index 96022eee0f3..99786aacf99 100644 --- a/service/s3/serializers.go +++ b/service/s3/serializers.go @@ -4546,6 +4546,10 @@ func (m *awsRestxml_serializeOpListBuckets) HandleSerialize(ctx context.Context, return out, metadata, &smithy.SerializationError{Err: err} } + if err := awsRestxml_serializeOpHttpBindingsListBucketsInput(input, restEncoder); err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + if request.Request, err = restEncoder.Encode(request.Request); err != nil { return out, metadata, &smithy.SerializationError{Err: err} } @@ -4558,6 +4562,14 @@ func awsRestxml_serializeOpHttpBindingsListBucketsInput(v *ListBucketsInput, enc return fmt.Errorf("unsupported serialization of nil %T", v) } + if v.ContinuationToken != nil { + encoder.SetQuery("continuation-token").String(*v.ContinuationToken) + } + + if v.MaxBuckets != nil { + encoder.SetQuery("max-buckets").Integer(*v.MaxBuckets) + } + return nil } diff --git a/service/s3/types/types.go b/service/s3/types/types.go index e2775f5a117..c1c68be335a 100644 --- a/service/s3/types/types.go +++ b/service/s3/types/types.go @@ -673,8 +673,8 @@ type CSVOutput struct { noSmithyDocumentSerde } -// The container element for specifying the default Object Lock retention settings -// for new objects placed in the specified bucket. +// The container element for optionally specifying the default Object Lock +// retention settings for new objects placed in the specified bucket. // // - The DefaultRetention settings require both a mode and a period. // @@ -870,6 +870,12 @@ type Encryption struct { // Specifies encryption-related information for an Amazon S3 bucket that is a // destination for replicated objects. +// +// If you're specifying a customer managed KMS key, we recommend using a fully +// qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the +// key within the requester’s account. This behavior can result in data that's +// encrypted with a KMS key that belongs to the requester, and not the bucket +// owner. type EncryptionConfiguration struct { // Specifies the ID (Key ARN or Alias ARN) of the customer managed Amazon Web @@ -3029,7 +3035,14 @@ type Part struct { type PartitionedPrefix struct { // Specifies the partition date source for the partitioned prefix. - // PartitionDateSource can be EventTime or DeliveryTime. + // PartitionDateSource can be EventTime or DeliveryTime . + // + // For DeliveryTime , the time in the log file names corresponds to the delivery + // time for the log files. + // + // For EventTime , The logs delivered are for a specific day only. The year, month, + // and day correspond to the day on which the event occurred, and the hour, minutes + // and seconds are set to 00 in the key. PartitionDateSource PartitionDateSource noSmithyDocumentSerde @@ -3107,8 +3120,8 @@ type PublicAccessBlockConfiguration struct { // Specifies whether Amazon S3 should restrict public bucket policies for this // bucket. Setting this element to TRUE restricts access to this bucket to only - // Amazon Web Service principals and authorized users within this account if the - // bucket has a public policy. + // Amazon Web Servicesservice principals and authorized users within this account + // if the bucket has a public policy. // // Enabling this setting doesn't affect previously stored bucket policies, except // that public and cross-account access within any public bucket policy, including @@ -3149,7 +3162,14 @@ type QueueConfiguration struct { // The container for the records event. type RecordsEvent struct { - // The byte array of partial, one or more result records. + // The byte array of partial, one or more result records. S3 Select doesn't + // guarantee that a record will be self-contained in one record frame. To ensure + // continuous streaming of data, S3 Select might split the same record across + // multiple record frames instead of aggregating the results in memory. Some S3 + // clients (for example, the SDK for Java) handle this behavior by creating a + // ByteStream out of the response by default. Other clients might not handle this + // behavior by default. In those cases, you must aggregate the results on the + // client side and parse the response. Payload []byte noSmithyDocumentSerde @@ -3711,6 +3731,12 @@ type SelectParameters struct { // encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for // SSE-KMS. For more information, see [PUT Bucket encryption]in the Amazon S3 API Reference. // +// If you're specifying a customer managed KMS key, we recommend using a fully +// qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the +// key within the requester’s account. This behavior can result in data that's +// encrypted with a KMS key that belongs to the requester, and not the bucket +// owner. +// // [PUT Bucket encryption]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html type ServerSideEncryptionByDefault struct { @@ -3763,6 +3789,12 @@ type ServerSideEncryptionConfiguration struct { } // Specifies the default server-side encryption configuration. +// +// If you're specifying a customer managed KMS key, we recommend using a fully +// qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the +// key within the requester’s account. This behavior can result in data that's +// encrypted with a KMS key that belongs to the requester, and not the bucket +// owner. type ServerSideEncryptionRule struct { // Specifies the default server-side encryption to apply to new objects in the