Skip to content

feat: update L1 CloudFormation resource definitions #33980

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 3, 2025
Merged

feat: update L1 CloudFormation resource definitions #33980

merged 4 commits into from
Apr 3, 2025

Conversation

aws-cdk-automation
Copy link
Collaborator

Updates the L1 CloudFormation resource definitions with the latest changes from @aws-cdk/aws-service-spec

L1 CloudFormation resource definition changes:

├[~] service aws-arczonalshift
│ └ resources
│    └[~]  resource AWS::ARCZonalShift::ZonalAutoshiftConfiguration
│       └ properties
│          └ PracticeRunConfiguration: (documentation changed)
├[~] service aws-cloudformation
│ └ resources
│    └[~]  resource AWS::CloudFormation::Stack
│       └      - documentation: The `AWS::CloudFormation::Stack` resource nests a stack as a resource in a top-level template.
│              For more information, see [Embed stacks within other stacks using nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* .
│              You can add output values from a nested stack within the containing template. You use the [GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) function with the nested stack's logical name and the name of the output value in the nested stack in the format `Outputs. *NestedStackOutputName*` .
│              We strongly recommend that updates to nested stacks are run from the parent stack.
│              When you apply template changes to update a top-level stack, CloudFormation updates the top-level stack and initiates an update to its nested stacks. CloudFormation updates the resources of modified nested stacks, but doesn't update the resources of unmodified nested stacks.
│              You must acknowledge IAM capabilities for nested stacks that contain IAM resources. Also, verify that you have cancel update stack permissions, which is required if an update rolls back. For more information about IAM and CloudFormation , see [Controlling access with AWS Identity and Access Management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/control-access-with-iam.html) in the *AWS CloudFormation User Guide* .
│              > A subset of `AWS::CloudFormation::Stack` resource type properties listed below are available to customers using CloudFormation , AWS CDK , and AWS Cloud Control API to configure.
│              > 
│              > - `NotificationARNs`
│              > - `Parameters`
│              > - `Tags`
│              > - `TemplateURL`
│              > - `TimeoutInMinutes`
│              > 
│              > These properties can be configured only when using AWS Cloud Control API . This is because the below properties are set by the parent stack, and thus cannot be configured using CloudFormation or AWS CDK but only AWS Cloud Control API .
│              > 
│              > - `Capabilities`
│              > - `Description`
│              > - `DisableRollback`
│              > - `EnableTerminationProtection`
│              > - `RoleARN`
│              > - `StackName`
│              > - `StackPolicyBody`
│              > - `StackPolicyURL`
│              > - `StackStatusReason`
│              > - `TemplateBody`
│              > 
│              > Customers that configure `AWS::CloudFormation::Stack` using CloudFormation and AWS CDK can do so for nesting a CloudFormation stack as a resource in their top-level template.
│              > 
│              > These read-only properties can be accessed only when using AWS Cloud Control API .
│              > 
│              > - `ChangeSetId`
│              > - `CreationTime`
│              > - `LastUpdateTime`
│              > - `Outputs`
│              > - `ParentId`
│              > - `RootId`
│              > - `StackId`
│              > - `StackStatus`
│              + documentation: The `AWS::CloudFormation::Stack` resource nests a stack as a resource in a top-level template.
│              For more information, see [Embed stacks within other stacks using nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* .
│              You can add output values from a nested stack within the containing template. You use the [GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) function with the nested stack's logical name and the name of the output value in the nested stack in the format `Outputs. *NestedStackOutputName*` .
│              We strongly recommend that updates to nested stacks are run from the parent stack.
│              When you apply template changes to update a top-level stack, CloudFormation updates the top-level stack and initiates an update to its nested stacks. CloudFormation updates the resources of modified nested stacks, but doesn't update the resources of unmodified nested stacks.
│              You must acknowledge IAM capabilities for nested stacks that contain IAM resources. Also, verify that you have cancel update stack permissions, which is required if an update rolls back. For more information about IAM and CloudFormation , see [Controlling access with AWS Identity and Access Management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/control-access-with-iam.html) in the *AWS CloudFormation User Guide* .
│              > A subset of `AWS::CloudFormation::Stack` resource type properties listed below are available to customers using CloudFormation , AWS CDK , and Cloud Control  to configure.
│              > 
│              > - `NotificationARNs`
│              > - `Parameters`
│              > - `Tags`
│              > - `TemplateURL`
│              > - `TimeoutInMinutes`
│              > 
│              > These properties can be configured only when using Cloud Control  . This is because the below properties are set by the parent stack, and thus cannot be configured using CloudFormation or AWS CDK but only Cloud Control  .
│              > 
│              > - `Capabilities`
│              > - `Description`
│              > - `DisableRollback`
│              > - `EnableTerminationProtection`
│              > - `RoleARN`
│              > - `StackName`
│              > - `StackPolicyBody`
│              > - `StackPolicyURL`
│              > - `StackStatusReason`
│              > - `TemplateBody`
│              > 
│              > Customers that configure `AWS::CloudFormation::Stack` using CloudFormation and AWS CDK can do so for nesting a CloudFormation stack as a resource in their top-level template.
│              > 
│              > These read-only properties can be accessed only when using Cloud Control  .
│              > 
│              > - `ChangeSetId`
│              > - `CreationTime`
│              > - `LastUpdateTime`
│              > - `Outputs`
│              > - `ParentId`
│              > - `RootId`
│              > - `StackId`
│              > - `StackStatus`
├[~] service aws-codestarnotifications
│ └ resources
│    └[~]  resource AWS::CodeStarNotifications::NotificationRule
│       ├      - documentation: Creates a notification rule for a resource. The rule specifies the events you want notifications about and the targets (such as Amazon Simple Notification Service topics or AWS Chatbot clients configured for Slack) where you want to receive them.
│       │      + documentation: Creates a notification rule for a resource. The rule specifies the events you want notifications about and the targets (such as Amazon Simple Notification Service topics or  clients configured for Slack) where you want to receive them.
│       ├ properties
│       │  ├ TargetAddress: (documentation changed)
│       │  └ Targets: (documentation changed)
│       └ types
│          └[~] type Target
│            ├      - documentation: Information about the AWS Chatbot topics or AWS Chatbot clients associated with a notification rule.
│            │      + documentation: Information about the  topics or  clients associated with a notification rule.
│            └ properties
│               ├ TargetAddress: (documentation changed)
│               └ TargetType: (documentation changed)
├[~] service aws-ec2
│ └ resources
│    └[~]  resource AWS::EC2::Instance
│       └ types
│          ├[+]  type EnaSrdSpecification
│          │  ├      documentation: Specifies the ENA Express settings for the network interface that's attached to the instance.
│          │  │      name: EnaSrdSpecification
│          │  └ properties
│          │     ├ EnaSrdEnabled: boolean
│          │     └ EnaSrdUdpSpecification: EnaSrdUdpSpecification
│          ├[+]  type EnaSrdUdpSpecification
│          │  ├      documentation: Contains ENA Express settings for UDP network traffic for the network interface that's attached to the instance.
│          │  │      name: EnaSrdUdpSpecification
│          │  └ properties
│          │     └ EnaSrdUdpEnabled: boolean
│          └[~] type NetworkInterface
│            └ properties
│               └[+] EnaSrdSpecification: EnaSrdSpecification
├[~] service aws-eks
│ └ resources
│    ├[~]  resource AWS::EKS::Cluster
│    │  └ properties
│    │     └ Force: (documentation changed)
│    └[~]  resource AWS::EKS::PodIdentityAssociation
│       ├ properties
│       │  ├[+] DisableSessionTags: boolean
│       │  └[+] TargetRoleArn: string
│       └ attributes
│          └[+] ExternalId: string
├[~] service aws-gamelift
│ └ resources
│    ├[~]  resource AWS::GameLift::Build
│    │  └ types
│    │     └[~] type StorageLocation
│    │       └ properties
│    │          └ ObjectVersion: (documentation changed)
│    └[~]  resource AWS::GameLift::Fleet
│       └ properties
│          └ ScriptId: (documentation changed)
├[~] service aws-lex
│ └ resources
│    └[~]  resource AWS::Lex::Bot
│       └ types
│          ├[~] type BedrockGuardrailConfiguration
│          │ └      - documentation: The guardrail configuration in the Bedrock model specification details.
│          │        + documentation: The details on the Bedrock guardrail configuration.
│          ├[~] type DataSourceConfiguration
│          │ ├      - documentation: Contains details about the configuration of the data source used for the AMAZON.QnAIntent.
│          │ │      + documentation: Contains details about the configuration of the knowledge store used for the `AMAZON.QnAIntent` . You must have already created the knowledge store and indexed the documents within it.
│          │ └ properties
│          │    ├ BedrockKnowledgeStoreConfiguration: (documentation changed)
│          │    ├ KendraConfiguration: (documentation changed)
│          │    └ OpensearchConfiguration: (documentation changed)
│          ├[~] type OpensearchConfiguration
│          │ ├      - documentation: Contains details about the configuration of the Amazon OpenSearch Service database used for the AMAZON.QnAIntent.
│          │ │      + documentation: Contains details about the configuration of the Amazon OpenSearch Service database used for the `AMAZON.QnAIntent` .
│          │ └ properties
│          │    └ IncludeFields: (documentation changed)
│          ├[~] type QnAIntentConfiguration
│          │ ├      - documentation: Details about the the configuration of the built-in Amazon.QnAIntent.
│          │ │      + documentation: Details about the the configuration of the built-in `Amazon.QnAIntent` .
│          │ └ properties
│          │    └ DataSourceConfiguration: (documentation changed)
│          └[~] type QnAKendraConfiguration
│            ├      - documentation: Contains details about the configuration of the Amazon Kendra index used for the AMAZON.QnAIntent.
│            │      + documentation: Contains details about the configuration of the Amazon Kendra index used for the `AMAZON.QnAIntent` .
│            └ properties
│               ├ ExactResponse: (documentation changed)
│               └ QueryFilterString: (documentation changed)
├[~] service aws-notifications
│ └ resources
│    └[~]  resource AWS::Notifications::ManagedNotificationAccountContactAssociation
│       ├      - documentation: Associates an Account Management Contact with a `ManagedNotificationConfiguration` for AWS User Notifications . For more information about AWS User Notifications , see the [AWS User Notifications User Guide](https://docs.aws.amazon.com/notifications/latest/userguide/what-is-service.html) . For more information about Account Management Contacts, see the [AWS Account Management Reference Guide](https://docs.aws.amazon.com/accounts/latest/reference/API_AlternateContact.html) .
│       │      + documentation: Associates an Account Management Contact with a `ManagedNotificationConfiguration` for AWS User Notifications . For more information about AWS User Notifications , see the [AWS User Notifications User Guide](https://docs.aws.amazon.com/notifications/latest/userguide/what-is-service.html) . For more information about Account Management Contacts, see the [Account Management Reference Guide](https://docs.aws.amazon.com/accounts/latest/reference/API_AlternateContact.html) .
│       └ properties
│          └ ContactIdentifier: (documentation changed)
├[~] service aws-opensearchserverless
│ └ resources
│    └[~]  resource AWS::OpenSearchServerless::Index
│       ├      - documentation: An OpenSearch Serverless index resource
│       │      + documentation: An OpenSearch Serverless index resource.
│       ├ properties
│       │  ├ Mappings: (documentation changed)
│       │  └ Settings: (documentation changed)
│       └ types
│          ├[~] type Index
│          │ ├      - documentation: undefined
│          │ │      + documentation: An OpenSearch Serverless index resource
│          │ └ properties
│          │    ├ Knn: (documentation changed)
│          │    ├ KnnAlgoParamEfSearch: (documentation changed)
│          │    └ RefreshInterval: (documentation changed)
│          ├[~] type IndexSettings
│          │ ├      - documentation: undefined
│          │ │      + documentation: Index settings for the OpenSearch Serverless index.
│          │ └ properties
│          │    └ Index: (documentation changed)
│          ├[~] type Mappings
│          │ ├      - documentation: Index Mappings
│          │ │      + documentation: Index mappings for the OpenSearch Serverless index.
│          │ └ properties
│          │    └ Properties: (documentation changed)
│          ├[~] type Method
│          │ ├      - documentation: Configuration for k-NN search method
│          │ │      + documentation: Configuration for k-NN search method.
│          │ └ properties
│          │    ├ Name: (documentation changed)
│          │    ├ Parameters: (documentation changed)
│          │    └ SpaceType: (documentation changed)
│          ├[~] type Parameters
│          │ ├      - documentation: Additional parameters for the k-NN algorithm
│          │ │      + documentation: Additional parameters for the k-NN algorithm.
│          │ └ properties
│          │    ├ EfConstruction: (documentation changed)
│          │    └ M: (documentation changed)
│          └[~] type PropertyMapping
│            ├      - documentation: undefined
│            │      + documentation: Property mappings for the OpenSearch Serverless index.
│            └ properties
│               ├ Dimension: (documentation changed)
│               ├ Index: (documentation changed)
│               ├ Method: (documentation changed)
│               ├ Properties: (documentation changed)
│               └ Value: (documentation changed)
├[~] service aws-organizations
│ └ resources
│    └[~]  resource AWS::Organizations::Account
│       └      - documentation: Creates an AWS account that is automatically a member of the organization whose credentials made the request.
│              AWS CloudFormation uses the [`CreateAccount`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateAccount.html) operation to create accounts. This is an asynchronous request that AWS performs in the background. Because `CreateAccount` operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following:
│              - Use the `Id` value of the `CreateAccountStatus` response element from the `CreateAccount` operation to provide as a parameter to the [`DescribeCreateAccountStatus`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html) operation.
│              - Check the CloudTrail log for the `CreateAccountResult` event. For information on using CloudTrail with AWS Organizations , see [Logging and monitoring in AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#orgs_cloudtrail-integration) in the *AWS Organizations User Guide* .
│              The user who calls the API to create an account must have the `organizations:CreateAccount` permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named `AWSServiceRoleForOrganizations` . For more information, see [AWS Organizations and service-linked roles](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_integrate_services-using_slrs) in the *AWS Organizations User Guide* .
│              If the request includes tags, then the requester must have the `organizations:TagResource` permission.
│              AWS Organizations preconfigures the new member account with a role (named `OrganizationAccountAccessRole` by default) that grants users in the management account administrator permissions in the new member account. Principals in the management account can assume the role. AWS Organizations clones the company name and address information for the new account from the organization's management account.
│              For more information about creating accounts, see [Creating a member account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html) in the *AWS Organizations User Guide* .
│              This operation can be called only from the organization's management account.
│              *Deleting Account resources*
│              The default `DeletionPolicy` for resource `AWS::Organizations::Account` is `Retain` . For more information about how AWS CloudFormation deletes resources, see [DeletionPolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) .
│              > - If you include multiple accounts in a single template, you must use the `DependsOn` attribute on each account resource type so that the accounts are created sequentially. If you create multiple accounts at the same time, Organizations returns an error and the stack operation fails.
│              > - You can't modify the following list of `Account` resource parameters using AWS CloudFormation updates.
│              > 
│              > - AccountName
│              > - Email
│              > - RoleName
│              > 
│              > If you attempt to update the listed parameters, CloudFormation will attempt the update, but you will receive an error message as those updates are not supported from an Organizations management account or a [registered delegated administrator](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html) account. Both the update and the update roll-back will fail, so you must skip the account resource update. To update parameters `AccountName` and `Email` , you must sign in to the AWS Management Console as the AWS account root user. For more information, see [Update the AWS account name, email address, or password for the root user](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html) in the *AWS Account Management Reference Guide* .
│              > - When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, we don't automatically collect the information required for the account to operate as a standalone account. That includes collecting the payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. For more information, see [Considerations before removing an account from an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_account-before-remove.html) in the *AWS Organizations User Guide* .
│              > - When you create an account in an organization using AWS CloudFormation , you can't specify a value for the `CreateAccount` operation parameter `IamUserAccessToBilling` . The default value for parameter `IamUserAccessToBilling` is `ALLOW` , and IAM users and roles with the required permissions can access billing information for the new account.
│              > - If you get an exception that indicates `DescribeCreateAccountStatus returns IN_PROGRESS state before time out` . You must check the account creation status using the [`DescribeCreateAccountStatus`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html) operation. If the account state returns as `SUCCEEDED` , you can import the account into AWS CloudFormation management using [`resource import`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html) .
│              > - If you get an exception that indicates you have exceeded your account quota for the organization, you can request an increase by using the [Service Quotas console](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html) .
│              > - If you get an exception that indicates the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact [AWS Support](https://docs.aws.amazon.com/support/home#/) .
│              > - We don't recommend that you use the `CreateAccount` operation to create multiple temporary accounts. You can close accounts using the [`CloseAccount`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html) operation or from the AWS Organizations console in the organization's management account. For information on the requirements and process for closing an account, see [Closing a member account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html) in the *AWS Organizations User Guide* .
│              + documentation: Creates an AWS account that is automatically a member of the organization whose credentials made the request.
│              AWS CloudFormation uses the [`CreateAccount`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateAccount.html) operation to create accounts. This is an asynchronous request that AWS performs in the background. Because `CreateAccount` operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following:
│              - Use the `Id` value of the `CreateAccountStatus` response element from the `CreateAccount` operation to provide as a parameter to the [`DescribeCreateAccountStatus`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html) operation.
│              - Check the CloudTrail log for the `CreateAccountResult` event. For information on using CloudTrail with AWS Organizations , see [Logging and monitoring in AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#orgs_cloudtrail-integration) in the *AWS Organizations User Guide* .
│              The user who calls the API to create an account must have the `organizations:CreateAccount` permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named `AWSServiceRoleForOrganizations` . For more information, see [AWS Organizations and service-linked roles](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_integrate_services-using_slrs) in the *AWS Organizations User Guide* .
│              If the request includes tags, then the requester must have the `organizations:TagResource` permission.
│              AWS Organizations preconfigures the new member account with a role (named `OrganizationAccountAccessRole` by default) that grants users in the management account administrator permissions in the new member account. Principals in the management account can assume the role. AWS Organizations clones the company name and address information for the new account from the organization's management account.
│              For more information about creating accounts, see [Creating a member account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html) in the *AWS Organizations User Guide* .
│              This operation can be called only from the organization's management account.
│              *Deleting Account resources*
│              The default `DeletionPolicy` for resource `AWS::Organizations::Account` is `Retain` . For more information about how AWS CloudFormation deletes resources, see [DeletionPolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) .
│              > - If you include multiple accounts in a single template, you must use the `DependsOn` attribute on each account resource type so that the accounts are created sequentially. If you create multiple accounts at the same time, Organizations returns an error and the stack operation fails.
│              > - You can't modify the following list of `Account` resource parameters using AWS CloudFormation updates.
│              > 
│              > - AccountName
│              > - Email
│              > - RoleName
│              > 
│              > If you attempt to update the listed parameters, CloudFormation will attempt the update, but you will receive an error message as those updates are not supported from an Organizations management account or a [registered delegated administrator](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html) account. Both the update and the update roll-back will fail, so you must skip the account resource update. To update parameters `AccountName` and `Email` , you must sign in to the AWS Management Console as the AWS account root user. For more information, see [Update the AWS account name, email address, or password for the root user](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html) in the *Account Management Reference Guide* .
│              > - When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, we don't automatically collect the information required for the account to operate as a standalone account. That includes collecting the payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. For more information, see [Considerations before removing an account from an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_account-before-remove.html) in the *AWS Organizations User Guide* .
│              > - When you create an account in an organization using AWS CloudFormation , you can't specify a value for the `CreateAccount` operation parameter `IamUserAccessToBilling` . The default value for parameter `IamUserAccessToBilling` is `ALLOW` , and IAM users and roles with the required permissions can access billing information for the new account.
│              > - If you get an exception that indicates `DescribeCreateAccountStatus returns IN_PROGRESS state before time out` . You must check the account creation status using the [`DescribeCreateAccountStatus`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html) operation. If the account state returns as `SUCCEEDED` , you can import the account into AWS CloudFormation management using [`resource import`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html) .
│              > - If you get an exception that indicates you have exceeded your account quota for the organization, you can request an increase by using the [Service Quotas console](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html) .
│              > - If you get an exception that indicates the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact [AWS Support](https://docs.aws.amazon.com/support/home#/) .
│              > - We don't recommend that you use the `CreateAccount` operation to create multiple temporary accounts. You can close accounts using the [`CloseAccount`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html) operation or from the AWS Organizations console in the organization's management account. For information on the requirements and process for closing an account, see [Closing a member account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html) in the *AWS Organizations User Guide* .
├[~] service aws-quicksight
│ └ resources
│    └[~]  resource AWS::QuickSight::DataSet
│       └ types
│          └[~] type UploadSettings
│            ├      - documentation: <p>Information about the format for a source file or files.</p>
│            │      + documentation: Information about the format for a source file or files.
│            └ properties
│               ├ ContainsHeader: (documentation changed)
│               ├ Delimiter: (documentation changed)
│               ├ Format: (documentation changed)
│               ├ StartFromRow: (documentation changed)
│               └ TextQualifier: (documentation changed)
├[~] service aws-route53recoverycontrol
│ └ resources
│    └[~]  resource AWS::Route53RecoveryControl::Cluster
│       └ properties
│          └ NetworkType: (documentation changed)
├[~] service aws-rum
│ └ resources
│    └[~]  resource AWS::RUM::AppMonitor
│       └ properties
│          └ Domain: (documentation changed)
├[~] service aws-ssmincidents
│ └ resources
│    └[~]  resource AWS::SSMIncidents::ResponsePlan
│       ├ properties
│       │  └ ChatChannel: (documentation changed)
│       └ types
│          ├[~] type ChatChannel
│          │ ├      - documentation: The AWS Chatbot chat channel used for collaboration during an incident.
│          │ │      + documentation: The  chat channel used for collaboration during an incident.
│          │ └ properties
│          │    └ ChatbotSns: (documentation changed)
│          ├[~] type IncidentTemplate
│          │ └ properties
│          │    └ NotificationTargets: (documentation changed)
│          └[~] type NotificationTargetItem
│            └      - documentation: The Amazon SNS topic that's used by AWS Chatbot to notify the incidents chat channel.
│                   + documentation: The Amazon SNS topic that's used by  to notify the incidents chat channel.
└[~] service aws-wafv2
  └ resources
     ├[~]  resource AWS::WAFv2::RegexPatternSet
     │  └ properties
     │     └ Scope: (documentation changed)
     ├[~]  resource AWS::WAFv2::RuleGroup
     │  ├ properties
     │  │  └ Scope: (documentation changed)
     │  └ types
     │     ├[~] type Body
     │     │ └ properties
     │     │    └ OversizeHandling: (documentation changed)
     │     ├[~] type FieldToMatch
     │     │ └ properties
     │     │    ├ Body: (documentation changed)
     │     │    └ JsonBody: (documentation changed)
     │     └[~] type JsonBody
     │       └ properties
     │          └ OversizeHandling: (documentation changed)
     ├[~]  resource AWS::WAFv2::WebACL
     │  ├      - documentation: > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . 
     │  │      Use an `WebACL` to define a collection of rules to use to inspect and control web requests. Each rule in a web ACL has a statement that defines what to look for in web requests and an action that AWS WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that doesn't match any of the rules.
     │  │      The rules in a web ACL can be a combination of explicitly defined rules and rule groups that you reference from the web ACL. The rule groups can be rule groups that you manage or rule groups that are managed by others.
     │  │      You can associate a web ACL with one or more AWS resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer , an AWS AppSync GraphQL API , an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance.
     │  │      For more information, see [Web access control lists (web ACLs)](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html) in the *AWS WAF developer guide* .
     │  │      *Web ACLs used in AWS Shield Advanced automatic application layer DDoS mitigation*
     │  │      If you use Shield Advanced automatic application layer DDoS mitigation, the web ACLs that you use with automatic mitigation have a rule group rule whose name starts with `ShieldMitigationRuleGroup` . This rule is used for automatic mitigations and it's managed for you in the web ACL by Shield Advanced and AWS WAF . You'll see the rule listed among the web ACL rules when you view the web ACL through the AWS WAF interfaces.
     │  │      When you manage the web ACL through AWS CloudFormation interfaces, you won't see the Shield Advanced rule. AWS CloudFormation doesn't include this type of rule in the stack drift status between the actual configuration of the web ACL and your web ACL template.
     │  │      Don't add the Shield Advanced rule group rule to your web ACL template. The rule shouldn't be in your template. When you update the web ACL template in a stack, the Shield Advanced rule is maintained for you by AWS WAF in the resulting web ACL.
     │  │      For more information, see [Shield Advanced automatic application layer DDoS mitigation](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response.html) in the *AWS Shield Advanced developer guide* .
     │  │      + documentation: > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . 
     │  │      Use an `WebACL` to define a collection of rules to use to inspect and control web requests. Each rule in a web ACL has a statement that defines what to look for in web requests and an action that AWS WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that doesn't match any of the rules.
     │  │      The rules in a web ACL can be a combination of explicitly defined rules and rule groups that you reference from the web ACL. The rule groups can be rule groups that you manage or rule groups that are managed by others.
     │  │      You can associate a web ACL with one or more AWS resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer , an AWS AppSync GraphQL API , an Amazon Cognito user pool, an AWS App Runner service, an AWS Amplify application, or an AWS Verified Access instance.
     │  │      For more information, see [Web access control lists (web ACLs)](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html) in the *AWS WAF developer guide* .
     │  │      *Web ACLs used in AWS Shield Advanced automatic application layer DDoS mitigation*
     │  │      If you use Shield Advanced automatic application layer DDoS mitigation, the web ACLs that you use with automatic mitigation have a rule group rule whose name starts with `ShieldMitigationRuleGroup` . This rule is used for automatic mitigations and it's managed for you in the web ACL by Shield Advanced and AWS WAF . You'll see the rule listed among the web ACL rules when you view the web ACL through the AWS WAF interfaces.
     │  │      When you manage the web ACL through AWS CloudFormation interfaces, you won't see the Shield Advanced rule. AWS CloudFormation doesn't include this type of rule in the stack drift status between the actual configuration of the web ACL and your web ACL template.
     │  │      Don't add the Shield Advanced rule group rule to your web ACL template. The rule shouldn't be in your template. When you update the web ACL template in a stack, the Shield Advanced rule is maintained for you by AWS WAF in the resulting web ACL.
     │  │      For more information, see [Shield Advanced automatic application layer DDoS mitigation](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response.html) in the *AWS Shield Advanced developer guide* .
     │  ├ properties
     │  │  └ Scope: (documentation changed)
     │  └ types
     │     ├[~] type Body
     │     │ └ properties
     │     │    └ OversizeHandling: (documentation changed)
     │     ├[~] type FieldToMatch
     │     │ └ properties
     │     │    ├ Body: (documentation changed)
     │     │    └ JsonBody: (documentation changed)
     │     └[~] type JsonBody
     │       └ properties
     │          └ OversizeHandling: (documentation changed)
     └[~]  resource AWS::WAFv2::WebACLAssociation
        ├      - documentation: > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . 
        │      Use a web ACL association to define an association between a web ACL and a regional application resource, to protect the resource. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance.
        │      For Amazon CloudFront , don't use this resource. Instead, use your CloudFront distribution configuration. To associate a web ACL with a distribution, provide the Amazon Resource Name (ARN) of the `WebACL` to your CloudFront distribution configuration. To disassociate a web ACL, provide an empty ARN. For information, see [AWS::CloudFront::Distribution](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html) .
        │      *Required permissions for customer-managed IAM policies*
        │      This call requires permissions that are specific to the protected resource type. For details, see [Permissions for AssociateWebACL](https://docs.aws.amazon.com/waf/latest/developerguide/security_iam_service-with-iam.html#security_iam_action-AssociateWebACL) in the *AWS WAF Developer Guide* .
        │      *Temporary inconsistencies during updates*
        │      When you create or change a web ACL or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.
        │      The following are examples of the temporary inconsistencies that you might notice during change propagation:
        │      - After you create a web ACL, if you try to associate it with a resource, you might get an exception indicating that the web ACL is unavailable.
        │      - After you add a rule group to a web ACL, the new rule group rules might be in effect in one area where the web ACL is used and not in another.
        │      - After you change a rule action setting, you might see the old action in some places and the new action in others.
        │      - After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.
        │      + documentation: > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . 
        │      Use a web ACL association to define an association between a web ACL and a regional application resource, to protect the resource. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, an AWS Amplify application, or an AWS Verified Access instance.
        │      For Amazon CloudFront , don't use this resource. Instead, use your CloudFront distribution configuration. To associate a web ACL with a distribution, provide the Amazon Resource Name (ARN) of the `WebACL` to your CloudFront distribution configuration. To disassociate a web ACL, provide an empty ARN. For information, see [AWS::CloudFront::Distribution](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html) .
        │      *Required permissions for customer-managed IAM policies*
        │      This call requires permissions that are specific to the protected resource type. For details, see [Permissions for AssociateWebACL](https://docs.aws.amazon.com/waf/latest/developerguide/security_iam_service-with-iam.html#security_iam_action-AssociateWebACL) in the *AWS WAF Developer Guide* .
        │      *Temporary inconsistencies during updates*
        │      When you create or change a web ACL or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.
        │      The following are examples of the temporary inconsistencies that you might notice during change propagation:
        │      - After you create a web ACL, if you try to associate it with a resource, you might get an exception indicating that the web ACL is unavailable.
        │      - After you add a rule group to a web ACL, the new rule group rules might be in effect in one area where the web ACL is used and not in another.
        │      - After you change a rule action setting, you might see the old action in some places and the new action in others.
        │      - After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.
        └ properties
           └ ResourceArn: (documentation changed)

@aws-cdk-automation @github-actions
feat: update L1 CloudFormation resource definitions
8c88f0d 
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
@aws-cdk-automation aws-cdk-automation added contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes pr-linter/exempt-integ-test The PR linter will not require integ test changes labels Mar 31, 2025
@aws-cdk-automation aws-cdk-automation requested review from a team March 31, 2025 13:55
@github-actions github-actions bot added the p2 label Mar 31, 2025
@codecov Codecov
Copy link

codecov bot commented Mar 31, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.98%. Comparing base (cd425c7) to head (eeb986b).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #33980   +/-   ##
=======================================
  Coverage   83.98%   83.98%           
=======================================
  Files         120      120           
  Lines        6976     6976           
  Branches     1178     1178           
=======================================
  Hits         5859     5859           
  Misses       1005     1005           
  Partials      112      112
Flag Coverage Δ
suite.unit 83.98% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk ∅ <ø> (∅)
packages/aws-cdk-lib/core 83.98% <ø> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 31, 2025
@github-actions github-actions bot mentioned this pull request Apr 1, 2025
Closed
@aws-rafams
Copy link

Bedrock Knowledge Bases Updates haven't been picked up by this or previous updates. Could you check why?
Current CDK spec vs Current CloudFormation Spec

These properties have been available in CFN for at least 2 weeks.
Missing:

@krokoko
Copy link
Contributor

krokoko commented Apr 2, 2025

@pahud @paulhcsun could you please check for the request above from @aws-rafams ? Those missing properties are preventing users from building graphRag based scenarios through CDK

@SimonCMoore
Copy link
Contributor

CDK generates these changes automatically based on the publicly published schema once a week. CFN usually takes a couple of weeks to publicly publish the changes (even though it may be available in CFN, the schema itself takes longer to publish).

scorbiere
scorbiere approved these changes Apr 2, 2025
View reviewed changes
Copy link
Contributor

@scorbiere scorbiere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Description only shows changes in documentation and addition of a few properties.

@mergify Mergify
Copy link
Contributor

mergify bot commented Apr 2, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@scorbiere scorbiere added the pr/do-not-merge This PR should not be merged at this time. label Apr 2, 2025
@mergify Mergify
Copy link
Contributor

mergify bot commented Apr 2, 2025

This pull request has been removed from the queue for the following reason: pull request dequeued.

Pull request #33980 has been dequeued, merge conditions unmatch:

  • -label~=(blocked|do-not-merge|no-squash|priority-pr)
  • status-success~=AWS CodeBuild us-east-1
  • any of [🛡 GitHub branch protection]:
    • check-neutral = AWS CodeBuild us-east-1 (AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv)
    • check-skipped = AWS CodeBuild us-east-1 (AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv)
    • check-success = AWS CodeBuild us-east-1 (AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv)
  • #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • #approved-reviews-by>=1
  • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • #changes-requested-reviews-by=0
  • -approved-reviews-by~=author
  • -closed
  • -merged
  • -title~=(WIP|wip)
  • base!=release
  • status-success=validate-pr
  • any of [🛡 GitHub branch protection]:
    • check-success = validate-pr
    • check-neutral = validate-pr
    • check-skipped = validate-pr

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.
If you do update this pull request, it will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue instead, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

@scorbiere
Copy link
Contributor

@aws-rafams @krokoko
These properties are missing because:

StorageConfiguration on AWS::Bedrock::KnowledgeBase resource is being dropped while building source model db due to error importing "oneOf" union type

Ref: https://github.com/cdklabs/awscdk-service-spec/blob/646d89e106f21beaf9d3c84cc3e150b54d6e8d08/packages/%40aws-cdk/aws-service-spec/build/patches/service-patches/bedrock.ts#L7

We need to update the patch to include these types manually.

@krokoko krokoko mentioned this pull request Apr 2, 2025
Closed
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Apr 2, 2025
This was referenced Apr 2, 2025
Closed
Merged
github-merge-queue bot pushed a commit to cdklabs/awscdk-service-spec that referenced this pull request Apr 2, 2025
@scorbiere
fix: removing patches for bedrock resources (#1760)
057e0f6 
1. The issue building source model db, due to error importing "oneOf"
union type, was fixed by #1666.
2. The patches prevent the CDK L1 to be updated automatically.

After this fix, the modifications in Bedrock resources will
automatically be applied to the CDK L1 constructs.

This should address the concern from this comment:
aws/aws-cdk#33980 (comment)
@scorbiere scorbiere removed the pr/do-not-merge This PR should not be merged at this time. label Apr 2, 2025
@mergify Mergify
Copy link
Contributor

mergify bot commented Apr 2, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify Mergify
Copy link
Contributor

mergify bot commented Apr 3, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator Author

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: eeb986b
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify Mergify
Copy link
Contributor

mergify bot commented Apr 3, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 0923b5e into main Apr 3, 2025
20 checks passed
@mergify mergify bot deleted the automation/spec-update branch April 3, 2025 01:21
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 3, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 3, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
1 more reviewer

@scorbiere scorbiere scorbiere approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@aws-cdk-automation @aws-rafams @krokoko @SimonCMoore @scorbiere