Skip to content

feat: update L1 CloudFormation resource definitions #35320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 27, 2025
Merged

feat: update L1 CloudFormation resource definitions #35320

merged 2 commits into from
Aug 27, 2025

Conversation

@aws-cdk-automation
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation commented Aug 25, 2025
edited by leonmk-aws
Loading

Updates the L1 CloudFormation resource definitions with the latest changes from @aws-cdk/aws-service-spec

L1 CloudFormation resource definition changes:

├[~] service aws-appintegrations
│ └ resources
│    └[~]  resource AWS::AppIntegrations::Application
│       └ properties
│          └ IsService: (documentation changed)
├[~] service aws-aps
│ └ resources
│    ├[+]  resource AWS::APS::ResourcePolicy
│    │  ├      name: ResourcePolicy
│    │  │      cloudFormationType: AWS::APS::ResourcePolicy
│    │  │      documentation: Use resource-based policies to grant permissions to other AWS accounts or services to access your workspace.
│    │  │      Only Prometheus-compatible APIs can be used for workspace sharing. You can add non-Prometheus-compatible APIs to the policy, but they will be ignored. For more information, see [Prometheus-compatible APIs](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-APIReference-Prometheus-Compatible-Apis.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    │  │      If your workspace uses customer-managed AWS KMS keys for encryption, you must grant the principals in your resource-based policy access to those AWS KMS keys. You can do this by creating AWS KMS grants. For more information, see [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) in the *AWS KMS API Reference* and [Encryption at rest](https://docs.aws.amazon.com/prometheus/latest/userguide/encryption-at-rest-Amazon-Service-Prometheus.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    │  │      For more information about working with IAM , see [Using Amazon Managed Service for Prometheus with IAM](https://docs.aws.amazon.com/prometheus/latest/userguide/security_iam_service-with-iam.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    │  └ properties
│    │     ├ WorkspaceArn: string (required, immutable)
│    │     └ PolicyDocument: string (required)
│    └[~]  resource AWS::APS::Workspace
│       ├ properties
│       │  └ LoggingConfiguration: (documentation changed)
│       └ types
│          └[~] type LoggingFilter
│            └ properties
│               └ QspThreshold: (documentation changed)
├[~] service aws-b2bi
│ └ resources
│    └[~]  resource AWS::B2BI::Transformer
│       └ types
│          ├[~] type OutputConversion
│          │ └ properties
│          │    └[+] AdvancedOptions: AdvancedOptions
│          ├[~] type X12AdvancedOptions
│          │ └ properties
│          │    └[+] ValidationOptions: X12ValidationOptions
│          ├[+]  type X12CodeListValidationRule
│          │  ├      name: X12CodeListValidationRule
│          │  └ properties
│          │     ├ ElementId: string (required)
│          │     ├ CodesToAdd: Array<string>
│          │     └ CodesToRemove: Array<string>
│          ├[+]  type X12ElementLengthValidationRule
│          │  ├      name: X12ElementLengthValidationRule
│          │  └ properties
│          │     ├ ElementId: string (required)
│          │     ├ MaxLength: number (required)
│          │     └ MinLength: number (required)
│          ├[+]  type X12ElementRequirementValidationRule
│          │  ├      name: X12ElementRequirementValidationRule
│          │  └ properties
│          │     ├ ElementPosition: string (required)
│          │     └ Requirement: string (required)
│          ├[+]  type X12ValidationOptions
│          │  ├      name: X12ValidationOptions
│          │  └ properties
│          │     └ ValidationRules: Array<X12ValidationRule>
│          └[+]  type X12ValidationRule
│             ├      name: X12ValidationRule
│             └ properties
│                ├ CodeListValidationRule: X12CodeListValidationRule
│                ├ ElementLengthValidationRule: X12ElementLengthValidationRule
│                └ ElementRequirementValidationRule: X12ElementRequirementValidationRule
├[~] service aws-batch
│ └ resources
│    └[~]  resource AWS::Batch::ComputeEnvironment
│       └ types
│          ├[~] type ComputeResources
│          │ └ properties
│          │    └ InstanceTypes: (documentation changed)
│          └[~] type LaunchTemplateSpecificationOverride
│            └ properties
│               └ TargetInstanceTypes: (documentation changed)
├[~] service aws-datazone
│ └ resources
│    └[+]  resource AWS::DataZone::PolicyGrant
│       ├      name: PolicyGrant
│       │      cloudFormationType: AWS::DataZone::PolicyGrant
│       │      documentation: Policy Grant in AWS DataZone is an explicit authorization assignment that allows a specific principal (user, group, or project) to perform particular actions (such as creating glossary terms, managing projects, or accessing resources) on governed resources within a certain scope (like a Domain Unit or Project). Policy Grants are essentially the mechanism by which DataZone enforces fine-grained, role-based access control beyond what is possible through AWS IAM alone.
│       ├ properties
│       │  ├ EntityType: string (required, immutable)
│       │  ├ PolicyType: string (required, immutable)
│       │  ├ EntityIdentifier: string (required, immutable)
│       │  ├ Detail: PolicyGrantDetail (immutable)
│       │  ├ Principal: PolicyGrantPrincipal (immutable)
│       │  └ DomainIdentifier: string (required, immutable)
│       ├ attributes
│       │  ├ GrantId: string
│       │  ├ CreatedAt: string
│       │  └ CreatedBy: string
│       └ types
│          ├ type AddToProjectMemberPoolPolicyGrantDetail
│          │ ├      name: AddToProjectMemberPoolPolicyGrantDetail
│          │ └ properties
│          │    └ IncludeChildDomainUnits: boolean
│          ├ type CreateAssetTypePolicyGrantDetail
│          │ ├      name: CreateAssetTypePolicyGrantDetail
│          │ └ properties
│          │    └ IncludeChildDomainUnits: boolean
│          ├ type CreateDomainUnitPolicyGrantDetail
│          │ ├      name: CreateDomainUnitPolicyGrantDetail
│          │ └ properties
│          │    └ IncludeChildDomainUnits: boolean
│          ├ type CreateEnvironmentProfilePolicyGrantDetail
│          │ ├      name: CreateEnvironmentProfilePolicyGrantDetail
│          │ └ properties
│          │    └ DomainUnitId: string
│          ├ type CreateFormTypePolicyGrantDetail
│          │ ├      name: CreateFormTypePolicyGrantDetail
│          │ └ properties
│          │    └ IncludeChildDomainUnits: boolean
│          ├ type CreateGlossaryPolicyGrantDetail
│          │ ├      name: CreateGlossaryPolicyGrantDetail
│          │ └ properties
│          │    └ IncludeChildDomainUnits: boolean
│          ├ type CreateProjectFromProjectProfilePolicyGrantDetail
│          │ ├      name: CreateProjectFromProjectProfilePolicyGrantDetail
│          │ └ properties
│          │    ├ ProjectProfiles: Array<string>
│          │    └ IncludeChildDomainUnits: boolean
│          ├ type CreateProjectPolicyGrantDetail
│          │ ├      name: CreateProjectPolicyGrantDetail
│          │ └ properties
│          │    └ IncludeChildDomainUnits: boolean
│          ├ type DomainUnitFilterForProject
│          │ ├      name: DomainUnitFilterForProject
│          │ └ properties
│          │    ├ DomainUnit: string (required)
│          │    └ IncludeChildDomainUnits: boolean (default=false)
│          ├ type DomainUnitGrantFilter
│          │ ├      name: DomainUnitGrantFilter
│          │ └ properties
│          │    └ AllDomainUnitsGrantFilter: json (required)
│          ├ type DomainUnitPolicyGrantPrincipal
│          │ ├      name: DomainUnitPolicyGrantPrincipal
│          │ └ properties
│          │    ├ DomainUnitGrantFilter: DomainUnitGrantFilter
│          │    ├ DomainUnitDesignation: string
│          │    └ DomainUnitIdentifier: string
│          ├ type GroupPolicyGrantPrincipal
│          │ ├      name: GroupPolicyGrantPrincipal
│          │ └ properties
│          │    └ GroupIdentifier: string (required)
│          ├ type OverrideDomainUnitOwnersPolicyGrantDetail
│          │ ├      name: OverrideDomainUnitOwnersPolicyGrantDetail
│          │ └ properties
│          │    └ IncludeChildDomainUnits: boolean
│          ├ type OverrideProjectOwnersPolicyGrantDetail
│          │ ├      name: OverrideProjectOwnersPolicyGrantDetail
│          │ └ properties
│          │    └ IncludeChildDomainUnits: boolean
│          ├ type PolicyGrantDetail
│          │ ├      name: PolicyGrantDetail
│          │ └ properties
│          │    ├ CreateDomainUnit: CreateDomainUnitPolicyGrantDetail
│          │    ├ OverrideDomainUnitOwners: OverrideDomainUnitOwnersPolicyGrantDetail
│          │    ├ AddToProjectMemberPool: AddToProjectMemberPoolPolicyGrantDetail
│          │    ├ OverrideProjectOwners: OverrideProjectOwnersPolicyGrantDetail
│          │    ├ CreateGlossary: CreateGlossaryPolicyGrantDetail
│          │    ├ CreateFormType: CreateFormTypePolicyGrantDetail
│          │    ├ CreateAssetType: CreateAssetTypePolicyGrantDetail
│          │    ├ CreateProject: CreateProjectPolicyGrantDetail
│          │    ├ CreateEnvironmentProfile: CreateEnvironmentProfilePolicyGrantDetail
│          │    ├ DelegateCreateEnvironmentProfile: json
│          │    ├ CreateEnvironment: json
│          │    ├ CreateEnvironmentFromBlueprint: json
│          │    └ CreateProjectFromProjectProfile: CreateProjectFromProjectProfilePolicyGrantDetail
│          ├ type PolicyGrantPrincipal
│          │ ├      name: PolicyGrantPrincipal
│          │ └ properties
│          │    ├ User: UserPolicyGrantPrincipal
│          │    ├ Group: GroupPolicyGrantPrincipal
│          │    ├ Project: ProjectPolicyGrantPrincipal
│          │    └ DomainUnit: DomainUnitPolicyGrantPrincipal
│          ├ type ProjectGrantFilter
│          │ ├      name: ProjectGrantFilter
│          │ └ properties
│          │    └ DomainUnitFilter: DomainUnitFilterForProject (required)
│          ├ type ProjectPolicyGrantPrincipal
│          │ ├      name: ProjectPolicyGrantPrincipal
│          │ └ properties
│          │    ├ ProjectIdentifier: string
│          │    ├ ProjectDesignation: string
│          │    └ ProjectGrantFilter: ProjectGrantFilter
│          └ type UserPolicyGrantPrincipal
│            ├      name: UserPolicyGrantPrincipal
│            └ properties
│               ├ UserIdentifier: string
│               └ AllUsersGrantFilter: json
├[~] service aws-deadline
│ └ resources
│    ├[~]  resource AWS::Deadline::Fleet
│    │  └ attributes
│    │     └ StatusMessage: (documentation changed)
│    └[~]  resource AWS::Deadline::LicenseEndpoint
│       └ properties
│          └ VpcId: (documentation changed)
├[~] service aws-dynamodb
│ └ resources
│    ├[~]  resource AWS::DynamoDB::GlobalTable
│    │  └ types
│    │     └[~] type ContributorInsightsSpecification
│    │       └ properties
│    │          └ Mode: (documentation changed)
│    └[~]  resource AWS::DynamoDB::Table
│       ├ properties
│       │  ├ ContributorInsightsSpecification: (documentation changed)
│       │  └ StreamSpecification: (documentation changed)
│       └ types
│          ├[~] type ContributorInsightsSpecification
│          │ ├      - documentation: The settings used to enable or disable CloudWatch Contributor Insights.
│          │ │      + documentation: Configures contributor insights settings for a table or one of its indexes.
│          │ └ properties
│          │    └ Mode: (documentation changed)
│          ├[~] type GlobalSecondaryIndex
│          │ └ properties
│          │    └ ContributorInsightsSpecification: (documentation changed)
│          └[~] type StreamSpecification
│            └ properties
│               └ ResourcePolicy: (documentation changed)
├[~] service aws-ec2
│ └ resources
│    ├[~]  resource AWS::EC2::IpPoolRouteTableAssociation
│    │  ├      - documentation: Resource Type definition for AWS::EC2::IpPoolRouteTableAssociation
│    │  │      + documentation: A route server association is the connection established between a route server and a VPC.
│    │  ├ properties
│    │  │  ├ PublicIpv4Pool: (documentation changed)
│    │  │  └ RouteTableId: (documentation changed)
│    │  └ attributes
│    │     └ AssociationId: (documentation changed)
│    └[~]  resource AWS::EC2::VPNConnection
│       └ properties
│          └[+] PreSharedKeyStorage: string (immutable)
├[~] service aws-ecs
│ └ resources
│    └[~]  resource AWS::ECS::Service
│       └ properties
│          └ AvailabilityZoneRebalancing: - string (default="ENABLED")
│                                         + string (default="DISABLED")
├[~] service aws-eks
│ └ resources
│    └[~]  resource AWS::EKS::Addon
│       ├ properties
│       │  └[+] NamespaceConfig: NamespaceConfig (immutable)
│       └ types
│          └[+]  type NamespaceConfig
│             ├      documentation: The custom namespace configuration to use with the add-on
│             │      name: NamespaceConfig
│             └ properties
│                └ Namespace: string (required)
├[~] service aws-entityresolution
│ └ resources
│    └[~]  resource AWS::EntityResolution::IdMappingWorkflow
│       ├ properties
│       │  └[+] IdMappingIncrementalRunConfig: IdMappingIncrementalRunConfig
│       └ types
│          └[+]  type IdMappingIncrementalRunConfig
│             ├      name: IdMappingIncrementalRunConfig
│             └ properties
│                └ IncrementalRunType: string (required)
├[~] service aws-events
│ └ resources
│    └[~]  resource AWS::Events::Rule
│       ├      - tagInformation: undefined
│       │      + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│       └ properties
│          └[+] Tags: Array<tag>
├[~] service aws-fsx
│ └ resources
│    └[~]  resource AWS::FSx::FileSystem
│       ├ properties
│       │  └[+] NetworkType: string
│       └ types
│          └[~] type OpenZFSConfiguration
│            └ properties
│               └[+] EndpointIpv6AddressRange: string
├[~] service aws-glue
│ └ resources
│    ├[~]  resource AWS::Glue::Connection
│    │  └ types
│    │     └[~] type ConnectionInput
│    │       └ properties
│    │          └ ConnectionType: (documentation changed)
│    └[~]  resource AWS::Glue::TableOptimizer
│       └ types
│          ├[+]  type IcebergRetentionConfiguration
│          │  ├      name: IcebergRetentionConfiguration
│          │  └ properties
│          │     ├ SnapshotRetentionPeriodInDays: integer
│          │     ├ NumberOfSnapshotsToRetain: integer
│          │     └ CleanExpiredFiles: boolean
│          └[~] type RetentionConfiguration
│            └ properties
│               └ IcebergConfiguration: - IcebergConfiguration
│                                       + IcebergConfiguration ⇐ IcebergRetentionConfiguration
├[~] service aws-guardduty
│ └ resources
│    ├[~]  resource AWS::GuardDuty::IPSet
│    │  ├      - documentation: The `AWS::GuardDuty::IPSet` resource specifies a new `IPSet` . An `IPSet` is a list of trusted IP addresses from which secure communication is allowed with AWS infrastructure and applications.
│    │  │      + documentation: The `AWS::GuardDuty::IPSet` resource helps you create a list of trusted IP addresses that you can use for secure communication with AWS infrastructure and applications. Once you activate this list, GuardDuty will not generate findings when there is an activity associated with these safe IP addresses.
│    │  │      Only the users of the GuardDuty administrator account can manage this list. These settings are also applied to the member accounts.
│    │  └ properties
│    │     ├ Activate: (documentation changed)
│    │     ├ Format: (documentation changed)
│    │     ├ Name: (documentation changed)
│    │     └ Tags: (documentation changed)
│    ├[~]  resource AWS::GuardDuty::ThreatEntitySet
│    │  ├      - documentation: Resource Type definition for AWS::GuardDuty::ThreatEntitySet
│    │  │      + documentation: The `AWS::GuardDuty::ThreatEntitySet` resource helps you create a list of known malicious IP addresses and domain names in your AWS environment. Once you activate this list, GuardDuty will use the entries in this list as an additional source of threat detection and generate findings when there is an activity associated with these known malicious IP addresses and domain names. GuardDuty continues to monitor independently of this custom threat entity set.
│    │  │      Only the users of the GuardDuty administrator account can manage this list. These settings automatically apply to the member accounts.
│    │  ├ properties
│    │  │  ├ Activate: (documentation changed)
│    │  │  ├ DetectorId: (documentation changed)
│    │  │  ├ ExpectedBucketOwner: (documentation changed)
│    │  │  ├ Format: (documentation changed)
│    │  │  ├ Location: (documentation changed)
│    │  │  ├ Name: (documentation changed)
│    │  │  └ Tags: (documentation changed)
│    │  ├ attributes
│    │  │  ├ CreatedAt: (documentation changed)
│    │  │  ├ ErrorDetails: (documentation changed)
│    │  │  ├ Id: (documentation changed)
│    │  │  ├ Status: (documentation changed)
│    │  │  └ UpdatedAt: (documentation changed)
│    │  └ types
│    │     └[~] type TagItem
│    │       ├      - documentation: undefined
│    │       │      + documentation: Describes a tag. For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .
│    │       └ properties
│    │          ├ Key: (documentation changed)
│    │          └ Value: (documentation changed)
│    ├[~]  resource AWS::GuardDuty::ThreatIntelSet
│    │  ├      - documentation: The `AWS::GuardDuty::ThreatIntelSet` resource specifies a new `ThreatIntelSet` . A `ThreatIntelSet` consists of known malicious IP addresses. GuardDuty generates findings based on the `ThreatIntelSet` after it is activated.
│    │  │      + documentation: The `AWS::GuardDuty::ThreatIntelSet` resource helps you create a list of known malicious IP addresses in your AWS environment. Once you activate this list, GuardDuty will use list the entries in this list as an additional source for threat detection and generate findings when there is an activity associated with these known malicious IP addresses. GuardDuty continues to monitor independently of this custom threat intelligence set.
│    │  │      Only the users of the GuardDuty administrator account can manage this list. These settings automatically apply to the member accounts.
│    │  └ properties
│    │     ├ Activate: (documentation changed)
│    │     ├ DetectorId: (documentation changed)
│    │     ├ Format: (documentation changed)
│    │     ├ Name: (documentation changed)
│    │     └ Tags: (documentation changed)
│    └[~]  resource AWS::GuardDuty::TrustedEntitySet
│       ├      - documentation: Resource Type definition for AWS::GuardDuty::TrustedEntitySet
│       │      + documentation: The `AWS::GuardDuty::TrustedEntitySet` resource helps you create a list of IP addresses and domain names that you can use for secure communication with your AWS infrastructure and applications. Once you activate this list, GuardDuty will not generate findings when there is an activity associated with these safe IP addresses and domain names. At any given time, you can have only one trusted entity set.
│       │      Only the users of the GuardDuty administrator account can manage the entity sets. These settings automatically apply member accounts.
│       ├ properties
│       │  ├ Activate: (documentation changed)
│       │  ├ DetectorId: (documentation changed)
│       │  ├ ExpectedBucketOwner: (documentation changed)
│       │  ├ Format: (documentation changed)
│       │  ├ Location: (documentation changed)
│       │  ├ Name: (documentation changed)
│       │  └ Tags: (documentation changed)
│       ├ attributes
│       │  ├ CreatedAt: (documentation changed)
│       │  ├ ErrorDetails: (documentation changed)
│       │  ├ Status: (documentation changed)
│       │  └ UpdatedAt: (documentation changed)
│       └ types
│          └[~] type TagItem
│            ├      - documentation: undefined
│            │      + documentation: Describes a tag. For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .
│            └ properties
│               ├ Key: (documentation changed)
│               └ Value: (documentation changed)
├[~] service aws-inspectorv2
│ └ resources
│    ├[~]  resource AWS::InspectorV2::CodeSecurityIntegration
│    │  ├      - documentation: Inspector CodeSecurityIntegration resource schema
│    │  │      + documentation: Creates a code security integration with a source code repository provider.
│    │  ├ properties
│    │  │  ├ CreateIntegrationDetails: (documentation changed)
│    │  │  ├ Name: (documentation changed)
│    │  │  ├ Tags: (documentation changed)
│    │  │  ├ Type: (documentation changed)
│    │  │  └ UpdateIntegrationDetails: (documentation changed)
│    │  ├ attributes
│    │  │  ├ Arn: (documentation changed)
│    │  │  ├ AuthorizationUrl: (documentation changed)
│    │  │  ├ CreatedAt: (documentation changed)
│    │  │  ├ LastUpdatedAt: (documentation changed)
│    │  │  ├ Status: (documentation changed)
│    │  │  └ StatusReason: (documentation changed)
│    │  └ types
│    │     ├[~] type CreateDetails
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Contains details required to create a code security integration with a specific repository provider.
│    │     │ └ properties
│    │     │    └ gitlabSelfManaged: (documentation changed)
│    │     ├[~] type CreateGitLabSelfManagedIntegrationDetail
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Contains details required to create an integration with a self-managed GitLab instance.
│    │     │ └ properties
│    │     │    ├ accessToken: (documentation changed)
│    │     │    └ instanceUrl: (documentation changed)
│    │     ├[~] type UpdateDetails
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Contains details required to update a code security integration with a specific repository provider.
│    │     │ └ properties
│    │     │    ├ github: (documentation changed)
│    │     │    └ gitlabSelfManaged: (documentation changed)
│    │     ├[~] type UpdateGitHubIntegrationDetail
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Contains details required to update an integration with GitHub.
│    │     │ └ properties
│    │     │    ├ code: (documentation changed)
│    │     │    └ installationId: (documentation changed)
│    │     └[~] type UpdateGitLabSelfManagedIntegrationDetail
│    │       ├      - documentation: undefined
│    │       │      + documentation: Contains details required to update an integration with a self-managed GitLab instance.
│    │       └ properties
│    │          └ authCode: (documentation changed)
│    └[~]  resource AWS::InspectorV2::CodeSecurityScanConfiguration
│       ├      - documentation: Inspector CodeSecurityScanConfiguration resource schema
│       │      + documentation: Creates a scan configuration for code security scanning.
│       ├ properties
│       │  ├ Configuration: (documentation changed)
│       │  ├ Level: (documentation changed)
│       │  ├ Name: (documentation changed)
│       │  ├ ScopeSettings: (documentation changed)
│       │  └ Tags: (documentation changed)
│       ├ attributes
│       │  └ Arn: (documentation changed)
│       └ types
│          ├[~] type CodeSecurityScanConfiguration
│          │ ├      - documentation: undefined
│          │ │      + documentation: Contains the configuration settings for code security scans.
│          │ └ properties
│          │    ├ continuousIntegrationScanConfiguration: (documentation changed)
│          │    ├ periodicScanConfiguration: (documentation changed)
│          │    └ ruleSetCategories: (documentation changed)
│          ├[~] type ContinuousIntegrationScanConfiguration
│          │ ├      - documentation: undefined
│          │ │      + documentation: Configuration settings for continuous integration scans that run automatically when code changes are made.
│          │ └ properties
│          │    └ supportedEvents: (documentation changed)
│          ├[~] type PeriodicScanConfiguration
│          │ ├      - documentation: undefined
│          │ │      + documentation: Configuration settings for periodic scans that run on a scheduled basis.
│          │ └ properties
│          │    ├ frequency: (documentation changed)
│          │    └ frequencyExpression: (documentation changed)
│          └[~] type ScopeSettings
│            ├      - documentation: undefined
│            │      + documentation: The scope settings that define which repositories will be scanned. If the `ScopeSetting` parameter is `ALL` the scan configuration applies to all existing and future projects imported into Amazon Inspector .
│            └ properties
│               └ projectSelectionScope: (documentation changed)
├[~] service aws-kinesisanalyticsv2
│ └ resources
│    └[~]  resource AWS::KinesisAnalyticsV2::Application
│       └ types
│          ├[~] type ApplicationConfiguration
│          │ └ properties
│          │    └[+] ApplicationEncryptionConfiguration: ApplicationEncryptionConfiguration
│          └[+]  type ApplicationEncryptionConfiguration
│             ├      documentation: Describes whether customer managed key is enabled and key details for customer data encryption
│             │      name: ApplicationEncryptionConfiguration
│             └ properties
│                ├ KeyId: string
│                └ KeyType: string (required)
├[~] service aws-logs
│ └ resources
│    ├[~]  resource AWS::Logs::DeliveryDestination
│    │  └ types
│    │     └[~] type DestinationPolicy
│    │       ├      - documentation: undefined
│    │       │      + documentation: An IAM policy that grants permissions to CloudWatch Logs to deliver logs cross-account to a specified destination in this account.
│    │       └ properties
│    │          ├ DeliveryDestinationName: (documentation changed)
│    │          └ DeliveryDestinationPolicy: (documentation changed)
│    └[~]  resource AWS::Logs::LogGroup
│       └ properties
│          ├ DataProtectionPolicy: (documentation changed)
│          ├ ResourcePolicyDocument: (documentation changed)
│          └ RetentionInDays: (documentation changed)
├[~] service aws-mediapackagev2
│ └ resources
│    └[~]  resource AWS::MediaPackageV2::Channel
│       └ types
│          └[~] type InputSwitchConfiguration
│            └ properties
│               └ MQCSInputSwitching: (documentation changed)
├[~] service aws-networkfirewall
│ └ resources
│    └[~]  resource AWS::NetworkFirewall::TLSInspectionConfiguration
│       └ types
│          ├[~] type CheckCertificateRevocationStatus
│          │ └      - documentation: When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a `CertificateAuthorityArn` in [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-servercertificateconfiguration.html) .
│          │        + documentation: When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a `CertificateAuthorityArn` in [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-servercertificateconfiguration.html) .
│          ├[~] type ServerCertificate
│          │ └      - documentation: Any AWS Certificate Manager (ACM) Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that's associated with a [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html) . Used in a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html) for inspection of inbound traffic to your firewall. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. AWS Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in AWS Certificate Manager , see [Request a public certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) or [Importing certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide* .
│          │        + documentation: Any AWS Certificate Manager (ACM) Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that's associated with a [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html) . Used in a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-tlsinspectionconfiguration.html) for inspection of inbound traffic to your firewall. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. AWS Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in AWS Certificate Manager , see [Request a public certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) or [Importing certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide* .
│          └[~] type ServerCertificateConfiguration
│            ├      - documentation: Configures the AWS Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html) . You can configure `ServerCertificates` for inbound SSL/TLS inspection, a `CertificateAuthorityArn` for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see [Using SSL/TLS server certficiates with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html) in the *AWS Network Firewall Developer Guide* .
│            │      > If a server certificate that's associated with your [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html) is revoked, deleted, or expired it can result in client-side TLS errors.
│            │      + documentation: Configures the AWS Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-tlsinspectionconfiguration.html) . You can configure `ServerCertificates` for inbound SSL/TLS inspection, a `CertificateAuthorityArn` for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see [Using SSL/TLS server certficiates with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html) in the *AWS Network Firewall Developer Guide* .
│            │      > If a server certificate that's associated with your [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-tlsinspectionconfiguration.html) is revoked, deleted, or expired it can result in client-side TLS errors.
│            └ properties
│               └ CheckCertificateRevocationStatus: (documentation changed)
├[~] service aws-route53
│ └ resources
│    └[~]  resource AWS::Route53::HealthCheck
│       └      - tagInformation: undefined
│              + tagInformation: {"tagPropertyName":"HealthCheckTags","variant":"standard"}
├[~] service aws-s3
│ └ resources
│    ├[~]  resource AWS::S3::Bucket
│    │  └ properties
│    │     └ ObjectLockConfiguration: (documentation changed)
│    └[~]  resource AWS::S3::BucketPolicy
│       └      - documentation: Applies an Amazon S3 bucket policy to an Amazon S3 bucket. If you are using an identity other than the root user of the AWS account that owns the bucket, the calling identity must have the `PutBucketPolicy` permissions on the specified bucket and belong to the bucket owner's account in order to use this operation.
│              If you don't have `PutBucketPolicy` permissions, Amazon S3 returns a `403 Access Denied` error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a `405 Method Not Allowed` error.
│              > As a security precaution, the root user of the AWS account that owns a bucket can always use this operation, even if the policy explicitly denies the root user the ability to perform this action. 
│              When using the `AWS::S3::BucketPolicy` resource, you can create, update, and delete bucket policies for S3 buckets located in regions different from the stack's region. This cross-region bucket policy modification functionality is supported for backward compatibility with existing workflows.
│              > If the [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) is not specified or set to `Delete` , the bucket policy will be removed when the stack is deleted. If set to `Retain` , the bucket policy will be preserved even after the stack is deleted. 
│              For example, a CloudFormation stack in `us-east-1` can use the `AWS::S3::BucketPolicy` resource to manage the bucket policy for an S3 bucket in `us-west-2` . The retention or removal of the bucket policy during the stack deletion is determined by the `DeletionPolicy` attribute specified in the stack template.
│              For more information, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) .
│              The following operations are related to `PutBucketPolicy` :
│              - [CreateBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html)
│              - [DeleteBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html)
│              + documentation: Applies an Amazon S3 bucket policy to an Amazon S3 bucket. If you are using an identity other than the root user of the AWS account that owns the bucket, the calling identity must have the `PutBucketPolicy` permissions on the specified bucket and belong to the bucket owner's account in order to use this operation.
│              If you don't have `PutBucketPolicy` permissions, Amazon S3 returns a `403 Access Denied` error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a `405 Method Not Allowed` error.
│              > As a security precaution, the root user of the AWS account that owns a bucket can always use this operation, even if the policy explicitly denies the root user the ability to perform this action. 
│              When using the `AWS::S3::BucketPolicy` resource, you can create, update, and delete bucket policies for S3 buckets located in Regions that are different from the stack's Region. However, the CloudFormation stacks should be deployed in the US East (N. Virginia) or `us-east-1` Region. This cross-region bucket policy modification functionality is supported for backward compatibility with existing workflows.
│              > If the [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) is not specified or set to `Delete` , the bucket policy will be removed when the stack is deleted. If set to `Retain` , the bucket policy will be preserved even after the stack is deleted. 
│              For example, a CloudFormation stack in `us-east-1` can use the `AWS::S3::BucketPolicy` resource to manage the bucket policy for an S3 bucket in `us-west-2` . The retention or removal of the bucket policy during the stack deletion is determined by the `DeletionPolicy` attribute specified in the stack template.
│              For more information, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) .
│              The following operations are related to `PutBucketPolicy` :
│              - [CreateBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html)
│              - [DeleteBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html)
├[~] service aws-sagemaker
│ └ resources
│    └[~]  resource AWS::SageMaker::Cluster
│       └ types
│          ├[+]  type AlarmDetails
│          │  ├      documentation: The details of the alarm to monitor during the AMI update.
│          │  │      name: AlarmDetails
│          │  └ properties
│          │     └ AlarmName: string (required)
│          ├[+]  type CapacitySizeConfig
│          │  ├      documentation: The configuration of the size measurements of the AMI update. Using this configuration, you can specify whether SageMaker should update your instance group by an amount or percentage of instances.
│          │  │      name: CapacitySizeConfig
│          │  └ properties
│          │     ├ Type: string (required)
│          │     └ Value: integer (required)
│          ├[~] type ClusterInstanceGroup
│          │ └ properties
│          │    └[+] ScheduledUpdateConfig: ScheduledUpdateConfig
│          ├[+]  type DeploymentConfig
│          │  ├      documentation: The deployment configuration for an endpoint, which contains the desired deployment strategy and rollback configurations.
│          │  │      name: DeploymentConfig
│          │  └ properties
│          │     ├ AutoRollbackConfiguration: Array<AlarmDetails>
│          │     ├ RollingUpdatePolicy: RollingUpdatePolicy
│          │     └ WaitIntervalInSeconds: integer
│          ├[+]  type RollingUpdatePolicy
│          │  ├      documentation: Specifies a rolling deployment strategy for updating a SageMaker endpoint.
│          │  │      name: RollingUpdatePolicy
│          │  └ properties
│          │     ├ MaximumBatchSize: CapacitySizeConfig (required)
│          │     └ RollbackMaximumBatchSize: CapacitySizeConfig
│          └[+]  type ScheduledUpdateConfig
│             ├      documentation: The configuration object of the schedule that SageMaker follows when updating the AMI.
│             │      name: ScheduledUpdateConfig
│             └ properties
│                ├ ScheduleExpression: string (required)
│                └ DeploymentConfig: DeploymentConfig
├[~] service aws-servicediscovery
│ └ resources
│    ├[~]  resource AWS::ServiceDiscovery::HttpNamespace
│    │  └      - documentation: The `HttpNamespace` resource is an AWS Cloud Map resource type that contains information about an HTTP namespace. Service instances that you register using an HTTP namespace can be discovered using a `DiscoverInstances` request but can't be discovered using DNS.
│    │         For the current quota on the number of namespaces that you can create using the same AWS account, see [AWS Cloud Map quotas](https://docs.aws.amazon.com/cloud-map/latest/dg/cloud-map-limits.html) in the ** .
│    │         + documentation: Creates an HTTP namespace. Service instances registered using an HTTP namespace can be discovered using a `DiscoverInstances` request but can't be discovered using DNS.
│    │         For the current quota on the number of namespaces that you can create using the same AWS account , see [AWS Cloud Map quotas](https://docs.aws.amazon.com/cloud-map/latest/dg/cloud-map-limits.html) in the *AWS Cloud Map Developer Guide* .
│    ├[~]  resource AWS::ServiceDiscovery::Instance
│    │  └ properties
│    │     └ ServiceId: (documentation changed)
│    └[~]  resource AWS::ServiceDiscovery::Service
│       ├      - documentation: A complex type that contains information about a service, which defines the configuration of the following entities:
│       │      - For public and private DNS namespaces, one of the following combinations of DNS records in Amazon Route 53:
│       │      - A
│       │      - AAAA
│       │      - A and AAAA
│       │      - SRV
│       │      - CNAME
│       │      - Optionally, a health check
│       │      + documentation: A complex type that contains information about the specified service.
│       ├ properties
│       │  ├ NamespaceId: (documentation changed)
│       │  └ ServiceAttributes: (documentation changed)
│       └ types
│          └[~] type DnsConfig
│            └ properties
│               └ NamespaceId: (documentation changed)
├[~] service aws-ssm
│ └ resources
│    └[~]  resource AWS::SSM::PatchBaseline
│       └ properties
│          └ RejectedPatchesAction: (documentation changed)
├[~] service aws-ssmquicksetup
│ └ resources
│    └[~]  resource AWS::SSMQuickSetup::ConfigurationManager
│       └ types
│          └[~] type ConfigurationDefinition
│            └ properties
│               └ Parameters: (documentation changed)
├[~] service aws-synthetics
│ └ resources
│    └[~]  resource AWS::Synthetics::Canary
│       └ types
│          └[~] type Dependency
│            ├      - documentation: undefined
│            │      + documentation: A structure that contains information about a dependency for a canary.
│            └ properties
│               ├ Reference: (documentation changed)
│               └ Type: (documentation changed)
├[~] service aws-vpclattice
│ └ resources
│    └[~]  resource AWS::VpcLattice::ResourceGateway
│       └ properties
│          └[+] Ipv4AddressesPerEni: integer
└[~] service aws-workspacesweb
  └ resources
     ├[~]  resource AWS::WorkSpacesWeb::Portal
     │  └ properties
     │     └ SessionLoggerArn: (documentation changed)
     └[~]  resource AWS::WorkSpacesWeb::SessionLogger
        ├      - documentation: Definition of AWS::WorkSpacesWeb::SessionLogger Resource Type
        │      + documentation: The session logger resource.
        ├ properties
        │  ├ AdditionalEncryptionContext: (documentation changed)
        │  ├ CustomerManagedKey: (documentation changed)
        │  ├ DisplayName: (documentation changed)
        │  ├ EventFilter: (documentation changed)
        │  └ LogConfiguration: (documentation changed)
        ├ attributes
        │  ├ AssociatedPortalArns: (documentation changed)
        │  ├ CreationDate: (documentation changed)
        │  └ SessionLoggerArn: (documentation changed)
        └ types
           ├[~] type EventFilter
           │ ├      - documentation: undefined
           │ │      + documentation: The filter that specifies the events to monitor.
           │ └ properties
           │    ├ All: (documentation changed)
           │    └ Include: (documentation changed)
           ├[~] type LogConfiguration
           │ ├      - documentation: undefined
           │ │      + documentation: The configuration of the log.
           │ └ properties
           │    └ S3: (documentation changed)
           └[~] type S3LogConfiguration
             ├      - documentation: undefined
             │      + documentation: The S3 log configuration.
             └ properties
                ├ Bucket: (documentation changed)
                ├ BucketOwner: (documentation changed)
                ├ FolderStructure: (documentation changed)
                ├ KeyPrefix: (documentation changed)
                └ LogFileFormat: (documentation changed)

CHANGES TO L1 RESOURCES: L1 resources are automatically generated from public CloudFormation Resource Schemas. They are build to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

  • aws-ecs: AWS::ECS::Service: AvailabilityZoneRebalancing property default value changed from "ENABLED" to "DISABLED".

@aws-cdk-automation aws-cdk-automation added contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes pr-linter/exempt-integ-test The PR linter will not require integ test changes labels Aug 25, 2025
@aws-cdk-automation aws-cdk-automation requested review from a team August 25, 2025 10:27
@github-actions github-actions bot added the p2 label Aug 25, 2025
@alvazjor
Copy link
Contributor

We need to check if the current L2 of ECS is using the old value as default, and how it can be modified (if needed)

├[~] service aws-ecs
│ └ resources
│    └[~]  resource AWS::ECS::Service
│       └ properties
│          └ AvailabilityZoneRebalancing: - string (default="ENABLED")
│                                         + string (default="DISABLED")

@aws-cdk-automation @leonmk-aws
feat: update L1 CloudFormation resource definitions
e6039de 
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
@leonmk-aws leonmk-aws force-pushed the automation/spec-update branch from 9b20f0b to e6039de Compare August 26, 2025 17:44
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Aug 27, 2025
@alvazjor
Copy link
Contributor

We need to check if the current L2 of ECS is using the old value as default, and how it can be modified (if needed)

├[~] service aws-ecs
│ └ resources
│    └[~]  resource AWS::ECS::Service
│       └ properties
│          └ AvailabilityZoneRebalancing: - string (default="ENABLED")
│                                         + string (default="DISABLED")

Reviewed this, the L2s actually use DISABLED as the default value, so we dont need to change anything there

@mergify
Copy link
Contributor

mergify bot commented Aug 27, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Aug 27, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 0d674e4 into main Aug 27, 2025
18 checks passed
@mergify mergify bot deleted the automation/spec-update branch August 27, 2025 10:10
@github-actions
Copy link
Contributor

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 27, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@leonmk-aws leonmk-aws leonmk-aws approved these changes

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. p2 pr/needs-maintainer-review This PR needs a review from a Core Team Member pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aws-cdk-automation @alvazjor @leonmk-aws