Skip to content

chore(release): 2.227.0#36135

Merged
mergify[bot] merged 32 commits intov2-releasefrom
bump/2.227.0
Nov 20, 2025
Merged

chore(release): 2.227.0#36135
mergify[bot] merged 32 commits intov2-releasefrom
bump/2.227.0

Conversation

@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation commented Nov 20, 2025
edited
Loading

See CHANGELOG

mrgrain and others added 30 commits November 17, 2025 12:49
@mrgrain
chore(spec2cdk): refactor code generation with LibraryBuilder abstrac…
15494b1 
…tion (#36081)

### Reason for this change

The current spec2cdk code generator (AstBuilder) is tightly coupled to aws-cdk-lib's specific structure, making it difficult to generate code for other targets like preview packages. We need a more flexible architecture that can support different library structures while maintaining the existing aws-cdk-lib generation.

### Description of changes

This PR refactors the code generation architecture to separate concerns between generic library building and aws-cdk-lib-specific implementation:

**Why LibraryBuilder base class?**
- Enables reuse of core generation logic across different library types (aws-cdk-lib, preview packages, etc.)
- Provides extension points for customizing file patterns, import paths, and module structure
- Makes the codebase testable and maintainable by reducing coupling

**Why ServiceSubmodule abstraction?**
- Encapsulates all modules related to a service (resources, augmentations, metrics, interfaces) in one place
- Simplifies tracking of cross-module dependencies and selective imports
- Provides a cleaner API for the generation process

**Key changes:**
- Extract LibraryBuilder base class with generic service submodule support
- Create AwsCdkLibBuilder as specialized implementation for aws-cdk-lib
- Introduce BaseServiceSubmodule to manage service-specific modules and imports
- Move selective import logic from RelationshipDecider to ServiceSubmodule
- Add TypeConverter.forMixin() for partial type definitions

### Describe any new or updated permissions being added

None.

### Description of how you validated changes

- All existing tests pass
- The refactoring preserves existing behavior and code generation output

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@sjakthol
feat(rds): support instance and iam-db-auth-error CloudWatch log expo…
e71a8b1 
…rts (#35058)

### Issue # (if applicable)

Closes #35018.

### Reason for this change

Add support for newly launched Aurora CloudWatch log exports.

### Description of changes

This commit updates the list of allowed CloudWatch log exports to match the values accepted by the RDS API:

> The following values are valid for each DB engine:
>
>  * Aurora MySQL - audit | error | general | instance | slowquery | iam-db-auth-error
>  * Aurora PostgreSQL - instance | postgresql | iam-db-auth-error

https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html

Tests and documentation updated to consider this change as well.

### Describe any new or updated permissions being added

N/A


### Description of how you validated changes

Unit tests have been updated to check that the new log export names are accepted. Integration tests added to verify that both CDK and RDS accept all the supported log exports.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@tarunb12
feat(imagebuilder-alpha): add support for Component Construct (#36006)
5ebf07d 
### Issue

aws/aws-cdk-rfcs#789

### Reason for this change

This change adds a new alpha module for EC2 Image Builder L2 Constructs (`@aws-cdk/aws-imagebuilder-alpha`), as outlined in aws/aws-cdk-rfcs#789. This PR specifically implements the `Component` construct.

### Description of changes

This change implements the `Component` construct, which is a higher-level construct of [`CfnComponent`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_imagebuilder.CfnComponent.html).

#### Example

```ts
const component = new imagebuilder.Component(this, 'Component', {
  componentName: 'build-and-test-component',
  componentVersion: '1.0.0',
  description: 'A build and test component',
  changeDescription: 'Initial version',
  // Encrypt component data with a KMS key
  kmsKey: kms.Key.fromKeyArn(
    this,
    'ComponentKey',
    this.formatArn({ service: 'kms', resource: 'key', resourceName: '1234abcd-12ab-34cd-56ef-1234567890ab' })
  ),
  platform: imagebuilder.Platform.LINUX,
  // Include the OS versions this component supports
  supportedOsVersions: [
    imagebuilder.OSVersion.AMAZON_LINUX,
    imagebuilder.OSVersion.RHEL_10,
    imagebuilder.OSVersion.SLES_15,
    imagebuilder.OSVersion.UBUNTU
  ],
  // Hello world component data
  data: imagebuilder.ComponentData.fromJsonObject({
    name: 'build-and-test-component',
    schemaVersion: imagebuilder.ComponentSchemaVersion.V1_0,
    phases: [
      {
        name: imagebuilder.ComponentPhaseName.BUILD,
        steps: [
          {
            action: imagebuilder.ComponentAction.EXECUTE_BASH,
            name: 'hello-world-build',
            inputs: {
              commands: ['echo "Hello build!"']
            }
          }
        ]
      },
      {
        name: imagebuilder.ComponentPhaseName.VALIDATE,
        steps: [
          {
            action: imagebuilder.ComponentAction.EXECUTE_BASH,
            name: 'hello-world-validate',
            inputs: {
              commands: ['echo "Hello validate!"']
            }
          }
        ]
      },
      {
        name: imagebuilder.ComponentPhaseName.TEST,
        steps: [
          {
            action: imagebuilder.ComponentAction.EXECUTE_BASH,
            name: 'hello-world-test',
            inputs: {
              commands: ['echo "Hello test!"']
            }
          }
        ]
      }
    ]
  })
});
```

### Describe any new or updated permissions being added

N/A - new L2 construct in alpha module

### Description of how you validated changes

Validated with unit tests and integration tests. Manually verified generated CFN templates as well.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@pahud
chore: prlinter not triggered when "Codebuild PR Build" completes (#3…
fa332bc 
…6057)

Added steps to save and upload pull request information.

### Issue # (if applicable)

Closes #36055

### Reason for this change

THE PROBLEM:
------------
PR Linter can't determine which PR to validate because:
  1. No pr_info artifact exists
  2. pull_requests array is empty (GitHub limitation)


THE SOLUTION:
-------------
Add these steps to codebuild-pr-build.yml:

```yaml
  - name: Save PR info for PR Linter
    if: github.event_name == 'pull_request'
    run: |
      mkdir -p ./pr
      echo "${{ github.event.pull_request.number }}" > ./pr/pr_number
      echo "${{ github.event.pull_request.head.sha }}" > ./pr/pr_sha

  - name: Upload PR info artifact
    if: github.event_name == 'pull_request'
    uses: actions/upload-artifact@v5
    with:
      name: pr_info
      path: pr/
```

WHY IT WORKS:
-------------

```
BEFORE (BROKEN):
┌─────────────────────────────────────────────────────────┐
│ Codebuild PR Build                                      │
│   Context: github.event.pull_request.number = 36049 ✓   │
│   Context: github.event.pull_request.head.sha = fc4... ✓│
│                                                          │
│   ✗ Does NOT save this info                             │
│   ✗ Does NOT upload artifact                            │
└─────────────────────────────────────────────────────────┘
                    │
                    │ workflow_run event
                    ▼
┌─────────────────────────────────────────────────────────┐
│ PR Linter (workflow_run context)                        │
│   Context: github.event.workflow_run.pull_requests = [] │
│   Context: No PR info available ✗                       │
│                                                          │
│   Tries to download pr_info artifact ──► ✗ Not found   │
│   Tries pull_requests[0].number ──────► ✗ Empty array  │
│                                                          │
│   Result: ✗ CANNOT DETERMINE PR NUMBER                  │
└─────────────────────────────────────────────────────────┘


AFTER (FIXED):
┌─────────────────────────────────────────────────────────┐
│ Codebuild PR Build                                      │
│   Context: github.event.pull_request.number = 36049 ✓   │
│   Context: github.event.pull_request.head.sha = fc4... ✓│
│                                                          │
│   ✓ Saves PR number to file: pr/pr_number               │
│   ✓ Saves PR SHA to file: pr/pr_sha                     │
│   ✓ Uploads pr_info artifact                            │
│      └─ Contains: pr_number=36049, pr_sha=fc4...        │
└─────────────────────────────────────────────────────────┘
                    │
                    │ workflow_run event
                    │ (artifact travels with event)
                    ▼
┌─────────────────────────────────────────────────────────┐
│ PR Linter (workflow_run context)                        │
│   Context: github.event.workflow_run.pull_requests = [] │
│                                                          │
│   Downloads pr_info artifact ─────────► ✓ Found!       │
│     └─ Extracts pr/pr_number ────────► ✓ 36049         │
│     └─ Extracts pr/pr_sha ───────────► ✓ fc4...        │
│                                                          │
│   Result: ✓ PR NUMBER DETERMINED = 36049                │
│           ✓ Can now validate the correct PR             │
└─────────────────────────────────────────────────────────┘
```

KEY INSIGHT:
------------

```
┌──────────────────────────────────────────────────────────┐
│  The PR context EXISTS in Codebuild PR Build             │
│  (triggered by pull_request event)                       │
│                                                           │
│  But it DISAPPEARS in PR Linter                          │
│  (triggered by workflow_run event)                       │
│                                                           │
│  Solution: PERSIST the context via artifact              │
│            (artifacts survive the context switch)        │
└──────────────────────────────────────────────────────────┘
```

CONTEXT AVAILABILITY:
---------------------

Codebuild PR Build (pull_request trigger):
  ✓ github.event.pull_request.number
  ✓ github.event.pull_request.head.sha
  ✓ github.event.pull_request.* (all PR data)

PR Linter (workflow_run trigger):
  ✗ github.event.pull_request (doesn't exist)
  ✗ github.event.workflow_run.pull_requests (empty array)
  ✓ github.event.workflow_run.id (can download artifacts)


ARTIFACT AS BRIDGE:
-------------------

```
  Codebuild Context          Artifact           PR Linter Context
  ─────────────────          ────────           ─────────────────

  PR #36049                                     workflow_run event
  pull_request event                            (no PR context)
       │                                              │
       │ Has PR data                                  │ No PR data
       │                                              │
       ▼                                              ▼
  Save to files          ──────────►            Download files
  - pr_number: 36049        Upload               - pr_number: 36049
  - pr_sha: fc4...          artifact             - pr_sha: fc4...
                            pr_info
                                                 ✓ PR context restored!
```

EXECUTION FLOW WITH FIX:
-------------------------

```
1. PR opened ──► Codebuild PR Build starts
                 │
                 ├─ github.event.pull_request.number = 36049 ✓
                 ├─ github.event.pull_request.head.sha = fc4... ✓
                 │
                 ├─ echo 36049 > pr/pr_number
                 ├─ echo fc4... > pr/pr_sha
                 └─ upload-artifact: pr_info
                    └─ Artifact ID: 12345

2. Codebuild completes ──► workflow_run event fires
                            │
                            └─ github.event.workflow_run.id = 19342493369

3. PR Linter triggered ──► download-if-workflow-run job
                            │
                            ├─ Download artifact from run 19342493369
                            │  └─ Finds pr_info artifact (ID: 12345) ✓
                            │
                            ├─ Extract files:
                            │  ├─ pr/pr_number = 36049 ✓
                            │  └─ pr/pr_sha = fc4... ✓
                            │
                            └─ Pass to validate-pr job:
                               └─ PR_NUMBER=36049 ✓
                               └─ PR_SHA=fc4... ✓

4. validate-pr job ──► Validates PR #36049 ✓
```

SUMMARY:
--------
The solution works because it:
  1. Captures PR context when it's available (Codebuild)
  2. Persists it in an artifact (survives context switch)
  3. Restores it when needed (PR Linter)
  4. Bypasses GitHub's pull_requests array limitation

See #36055 for details


## How do I validate 

### Test Environment
Validated on fork repository: pahud#16

### Validation Steps

1. **Applied the fix** to fork's `codebuild-pr-build.yml` (artifact upload steps)
2. **Created test PR** to trigger workflows
3. **Verified Codebuild workflow** uploaded `pr_info` artifact successfully
4. **Verified PR Linter workflow** downloaded artifact and applied label

### Results

✅ **Codebuild PR Build**: Successfully uploaded `pr_info` artifact containing:
- `pr_number`: 16
- `pr_sha`: ebeaa4c...

✅ **PR Linter**: Successfully validated PR and applied label
- Workflow run: https://github.com/pahud/aws-cdk/actions/runs/19380492593
- Label applied: `pr/needs-community-review`
- Status: ✅ Success

### Evidence

**Before fix:**
- PR Linter failed with "Cannot determine PR number"
- No `pr_info` artifact available
- workflow_run.pull_requests array was empty

**After fix:**
- PR Linter successfully downloaded `pr_info` artifact
- Correctly identified PR number and SHA
- Applied appropriate review label

### Note on Fork Testing

For fork testing only, I added a `pull_request_target` fallback to `pr-linter.yml` since `workflow_run` events don't trigger from fork workflows. This fallback is **not needed** for aws/aws-cdk as workflows run in the base repository context where `workflow_run` works correctly.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@mergify
Merge branch 'main' into merge-back/2.225.0
500cd40
@mergify
chore(merge-back): 2.225.0 (#36086)
355109e 
See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.225.0/CHANGELOG.md)
@rix0rrr
feat: grants are now available through a separate class (#35782)
21fd959 
Instead of grants being attached to the L2 class, they are now available as separate classes.

For example, for `Topic` the grants are now available as the `TopicGrants` class. This class is exposed as a public member: `public readonly grants: TopicGrants`, and can be used like this:

```ts
myTopic.grants.publish(myRole);
```

The `grantPublish` etc methods on the L2 are now no longer recommended (though they will not be deprecated immediately to not disrupt existing code too much). Instead, all examples now use the new methods, and a linter will prevent new `grantXxx()` methods from being added to the L2 level. Instead, Grant classes should be written.

The grants class can also be used if you have an L1, and can be generated for services that don't have L2s yet.

They are currently driven from a datafile, `grants.json`, in the service module directory. This data source may move to the `awscdk-service-spec` repo in the future.

## Example

An example of a generated grants class, for SNS topics:

```ts
/* eslint-disable @stylistic/max-len, eol-last */
import * as sns from "./sns.generated";
import * as iam from "aws-cdk-lib/aws-iam";

/**
 * Properties for TopicGrants
 */
interface TopicGrantsProps {
  /**
   * The resource on which actions will be allowed
   */
  readonly resource: sns.ITopicRef;

  /**
   * The resource with policy on which actions will be allowed
   *
   * @default - No resource policy is created
   */
  readonly policyResource?: iam.IResourceWithPolicyV2;

  /**
   * The encrypted resource on which actions will be allowed
   *
   * @default - No permission is added to the KMS key, even if it exists
   */
  readonly encryptedResource?: iam.IEncryptedResource;
}

/**
 * Collection of grant methods for a ITopicRef
 */
export class TopicGrants {
  /**
   * Creates grants for TopicGrants
   *
   * @internal
   */
  public static _fromTopic(resource: sns.ITopicRef): TopicGrants {
    return new TopicGrants({
      resource: resource,
      encryptedResource: (iam.GrantableResources.isEncryptedResource(resource) ? resource : undefined),
      policyResource: (iam.GrantableResources.isResourceWithPolicy(resource) ? resource : undefined)
    });
  }

  protected readonly resource: sns.ITopicRef;

  protected readonly encryptedResource?: iam.IEncryptedResource;

  protected readonly policyResource?: iam.IResourceWithPolicyV2;

  private constructor(props: TopicGrantsProps) {
    this.resource = props.resource;
    this.encryptedResource = props.encryptedResource;
    this.policyResource = props.policyResource;
  }

  /**
   * Grant topic publishing permissions to the given identity
   */
  public publish(grantee: iam.IGrantable): iam.Grant {
    const actions = ["sns:Publish"];
    const result = (this.policyResource ? iam.Grant.addToPrincipalOrResource({
      actions: actions,
      grantee: grantee,
      resourceArns: [sns.CfnTopic.arnForTopic(this.resource)],
      resource: this.policyResource
    }) : iam.Grant.addToPrincipal({
      actions: actions,
      grantee: grantee,
      resourceArns: [sns.CfnTopic.arnForTopic(this.resource)]
    }));
    this.encryptedResource?.grantOnKey(grantee, "kms:Decrypt", "kms:GenerateDataKey*");
    return result;
  }

  /**
   * Grant topic subscribing permissions to the given identity
   */
  public subscribe(grantee: iam.IGrantable): iam.Grant {
    const actions = ["sns:Subscribe"];
    const result = (this.policyResource ? iam.Grant.addToPrincipalOrResource({
      actions: actions,
      grantee: grantee,
      resourceArns: [sns.CfnTopic.arnForTopic(this.resource)],
      resource: this.policyResource
    }) : iam.Grant.addToPrincipal({
      actions: actions,
      grantee: grantee,
      resourceArns: [sns.CfnTopic.arnForTopic(this.resource)]
    }));
    return result;
  }
}
```

A few things to note:

- The class can only be created via the static method `_from<Resource>()`. For now, while we experiment with this idea, this method is marked as internal, hence the `_` leading the name.
- If the JSON config for the class contains a `keyActions`, the generated class will also have an `encryptedResource` property, that allows the Grants class to add permissions to the key, if it's present. This is done via the `IEncryptedResource` interface.
- If the JSON config for the class has `hasPolicy: true`, the generated class will also have a `policyResource` property, that allows the Grants class to create a resource policy.


## Also in this PR

- Cleanup around file pattern handling in `spec2cdk`, and a slight attempt at making it more obvious that `spec2cdk` has 2 distinct entry points; no attempt at reconciling these 2 entry points yet, I fear that's going to be a time suck.
- JSON files for a subset of services.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@newlinedeveloper
chore(ec2): increase gp3 ebs volume iops and throughput limits (#36074)
c6881e9 
### Issue #

Closes #36014

### Reason for this change

AWS recently announced increased limits for GP3 EBS volumes:
- IOPS: increased from 16,000 to 80,000
- Throughput: increased from 1,000 MiB/s to 2,000 MiB/s

The CDK currently has hardcoded validation limits that prevent users from configuring GP3 volumes with these new higher limits, even though AWS now supports them.

### Description of changes

Updated hardcoded validation limits for GP3 EBS volumes across the CDK codebase:

**Core validation updates:**
- `packages/aws-cdk-lib/aws-ec2/lib/volume.ts`: Updated IOPS range (16,000 → 80,000) and throughput range (1,000 → 2,000)
- `packages/aws-cdk-lib/aws-ec2/lib/private/ebs-util.ts`: Updated throughput validation (1,000 → 2,000)
- `packages/aws-cdk-lib/aws-ecs/lib/base/service-managed-volume.ts`: Updated IOPS and throughput limits for ECS service-managed volumes
- `packages/aws-cdk-lib/aws-autoscaling/lib/auto-scaling-group.ts`: Updated throughput range for Auto Scaling Group block devices
- `packages/aws-cdk-lib/aws-autoscaling/lib/volume.ts`: Updated JSDoc comments

**Documentation updates:**
- `packages/aws-cdk-lib/aws-ec2/README.md`: Updated throughput range documentation

**Test updates:**
- Updated unit tests in `volume.test.ts`, `launch-template.test.ts`, `fargate-service.test.ts`, and `auto-scaling-group.test.ts` to reflect new limits
- Created integration test `integ.volume-gp3-max-limits.ts` to validate the new maximum limits

### Describe any new or updated permissions being added

No new permissions required. This change only updates validation limits and does not introduce new functionality or IAM permissions.

### Description of how you validated changes

**Unit Tests:**
- Updated all existing unit tests to validate the new limits (80,000 IOPS, 2,000 MiB/s throughput)
- Verified error messages correctly reflect the new maximum values
- All unit tests pass successfully

**Integration Test:**
- Created integration test `integ.volume-gp3-max-limits.ts` that tests:
  - GP3 volume with maximum throughput (2,000 MiB/s) and minimum required IOPS (8,000)
  - GP3 volume with maximum IOPS (80,000) and default throughput
  - GP3 volume with both maximum throughput and IOPS combined

**Manual Verification:**
- Verified that volumes can be synthesized with the new maximum values
- Confirmed validation correctly rejects values above the new limits
- Tested that existing volumes with lower values continue to work

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
- [x] Unit tests updated and passing
- [x] Integration test created
- [x] Documentation updated
- [x] JSDoc comments updated

---

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@mrgrain
chore(mixins-preview): typed L1 property mixins (#36062)
0851ffd 
### Reason for this change

Adds auto-generated L1 property mixins for all CloudFormation resources, providing type-safe property application with merge strategies.

**Note:** Still a chore as package is still not yet released. This will come next.

### Description of changes

- Generates type-safe property mixins for every CloudFormation resource across all AWS services
- Adds package.json exports for all service-specific mixin modules (e.g., `@aws-cdk/mixins-preview/aws-s3/mixins`)
- Supports two merge strategies: MERGE (deep merge, default) and OVERWRITE (shallow assign)
- Enables applying L1 properties to both L1 and L2 constructs with full TypeScript support
- Updates README with L1 Property Mixins documentation and examples

Example usage:
```typescript
import '@aws-cdk/mixins-preview/with';
import { CfnBucketPropsMixin } from '@aws-cdk/mixins-preview/aws-s3/mixins';

const bucket = new s3.Bucket(scope, "Bucket")
  .with(new CfnBucketPropsMixin({
    versioningConfiguration: { status: "Enabled" },
    publicAccessBlockConfiguration: {
      blockPublicAcls: true,
      blockPublicPolicy: true
    }
  }));
```

### Describe any new or updated permissions being added

No new or updated IAM permissions.

### Description of how you validated changes

- Generated mixins for all AWS services
- Verified type safety and merge strategies
- Updated documentation with examples

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@tarunb12
feat(imagebuilder-alpha): add support for Distribution Configuration …
c36f43d 
…Construct (#36005)

### Issue #

aws/aws-cdk-rfcs#789

### Reason for this change

This change adds a new alpha module for EC2 Image Builder L2 Constructs (`@aws-cdk/aws-imagebuilder-alpha`), as outlined in aws/aws-cdk-rfcs#789. This PR specifically implements the `DistributionConfiguration` construct.

### Description of changes

This change implements the `DistributionConfiguration` construct, which is a higher-level construct of [`CfnDistributionConfiguration`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_imagebuilder.CfnDistributionConfiguration.html).

#### Example

```ts
const distributionConfiguration = new imagebuilder.DistributionConfiguration(this, 'DistributionConfiguration', {
  distributionConfigurationName: 'test-distribution-configuration',
  description: 'A Distribution Configuration',
  amiDistributions: [
    {
      // Distribute AMI to us-east-2 and publish the AMI ID to an SSM parameter
      region: 'us-east-2',
      ssmParameters: [
        {
          parameter: ssm.StringParameter.fromStringParameterAttributes(this, 'CrossRegionParameter', {
            parameterName: '/imagebuilder/ami',
            forceDynamicReference: true
          })
        }
      ]
    }
  ]
});

// For AMI-based image builds - add an AMI distribution in the current region
distributionConfiguration.addAmiDistributions({
  amiName: 'imagebuilder-{{ imagebuilder:buildDate }}',
  amiDescription: 'Build AMI',
  amiKmsKey: kms.Key.fromLookup(this, 'ComponentKey', { aliasName: 'alias/distribution-encryption-key' }),
  // Copy the AMI to different accounts
  amiTargetAccountIds: ['123456789012', '098765432109'],
  // Add launch permissions on the AMI
  amiLaunchPermission: {
    organizationArns: [
      this.formatArn({ region: '', service: 'organizations', resource: 'organization', resourceName: 'o-1234567abc' })
    ],
    organizationalUnitArns: [
      this.formatArn({
        region: '',
        service: 'organizations',
        resource: 'ou',
        resourceName: 'o-1234567abc/ou-a123-b4567890'
      })
    ],
    userGroups: ['all'],
    userIds: ['234567890123']
  },
  // Attach tags to the AMI
  amiTags: {
    Environment: 'production',
    Version: '{{ imagebuilder:buildVersion }}'
  },
  // Optional - publish the distributed AMI ID to an SSM parameter
  ssmParameters: [
    {
      parameter: ssm.StringParameter.fromStringParameterAttributes(this, 'Parameter', {
        parameterName: '/imagebuilder/ami',
        forceDynamicReference: true
      })
    },
    {
      amiAccount: '098765432109',
      dataType: ssm.ParameterDataType.TEXT,
      parameter: ssm.StringParameter.fromStringParameterAttributes(this, 'CrossAccountParameter', {
        parameterName: 'imagebuilder-prod-ami',
        forceDynamicReference: true
      })
    }
  ],
  // Optional - create a new launch template version with the distributed AMI ID
  launchTemplates: [
    {
      launchTemplate: ec2.LaunchTemplate.fromLaunchTemplateAttributes(this, 'LaunchTemplate', {
        launchTemplateName: 'imagebuilder-ami'
      }),
      setDefaultVersion: true
    },
    {
      accountId: '098765432109',
      launchTemplate: ec2.LaunchTemplate.fromLaunchTemplateAttributes(this, 'CrossAccountLaunchTemplate', {
        launchTemplateName: 'imagebuilder-cross-account-ami'
      }),
      setDefaultVersion: true
    }
  ],
  // Optional - enable Fast Launch on an imported launch template
  fastLaunchConfigurations: [
    {
      enabled: true,
      launchTemplate: ec2.LaunchTemplate.fromLaunchTemplateAttributes(this, 'FastLaunchLT', {
        launchTemplateName: 'fast-launch-lt'
      }),
      maxParallelLaunches: 10,
      targetSnapshotCount: 2
    }
  ],
  // Optional - license configurations to apply to the AMI
  licenseConfigurationArns: [
    'arn:aws:license-manager:us-west-2:123456789012:license-configuration:lic-abcdefghijklmnopqrstuvwxyz'
  ]
});
```

### Describe any new or updated permissions being added

N/A - new L2 construct in alpha module

### Description of how you validated changes

Validated with unit tests and integration tests. Manually verified generated CFN templates as well.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@ozelalisen
docs(ecr): capitalize Import in existing repository header (#35787)
183ec35 
### Reason for this change



Headers should follow proper title case formatting

### Description of changes



Capitalized "Import" in the "Import existing repository" header in ECR README



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@otaviomacedo
feat(dynamodb): add TableGrants and StreamGrants (#36093)
d0b074a 
### What is changing?

This PR introduces two new classes, `TableGrants` and `StreamGrants`, that allow the assignment of permissions, in a uniform way, to both L1s and L2s:

```ts
const table = new Table(...); // or new CfnTable(...)
const role = new Role(...);

// Allow the role to read data from the table
const grant = TableGrants._fromTable(table).readData(role);
```

To make the interface more similar to the auto-generated grants (e.g., `TopicGrants`), `TableGrants._fromTable()` takes a new interface, `IIndexableRegionalTable` as a parameter.

```ts
export interface IIndexableRegionalTable extends ITableRef {  
  /**  
   * Additional regions other than the main one that this table is replicated to    *   
   * @default no regions  
   */  
   readonly regions?: string[];  
  
  /**  
   * Whether this table has indexes   
   *   
   * If so, permissions are granted on all table indexes as well.   
   *   
   * @default false  
   */  
   readonly hasIndex?: boolean;  
}
```

And now `TableBase` implements `IIndexableRegionalTable`. `TableBase` has also gained two additional public immutable properties: `grants` and `streamGrants`, that should be used to grant permissions on a table. The existing `grant*()` methods will be deprecated soon.

### Why did the integration test templates change?

The current implementation uses `Lazy.string()` to produce the regional ARNs. Since the `produce()` method has to return _something_, it returned `Aws.NO_VALUE` when there was no real value to produce. In `TableGrants`, by contrast, the ARNs are computed eagerly in the constructor, so there is no need for pseudo-values. This is what caused the integration test templates to change. There are additional changes that are purely in the order of JSON properties.

### Why does `StreamGrants` not have a `_fromStream()` static method?

Unlike table, a table stream is not a resource in CloudFormation. So, although we could try to mimic one, by creating interfaces like `ITableStream`,  `ITableStreamRef`, `TableStreamReference`, there is nothing to gain from it. The consumer would still have to assemble an object from properties of a `Table` of `CfnTable` anyway.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@ozelalisen
revert(imagebuilder-alpha): add support for Distribution Configuratio…
8d6867a 
…n Construct (#36103)

reverts #36005 as it caused JSII errors that is coming from https://github.com/cdklabs/cdk-generate-synthetic-examples

```
@aws-cdk.aws-imagebuilder-alpha.Repository-example.ts:18:58 - error TS2345: Argument of type 'Repository' is not assignable to parameter of type 'IRepository'.
--
Type 'Repository' is missing the following properties from type 'IRepository': repositoryArn, repositoryUri, registryUri, repositoryUriForTag, and 16 more.
 
18 const repository = imagebuilder_alpha.Repository.fromEcr(repository);
~~~~~~~~~~
@aws-cdk.aws-imagebuilder-alpha.Repository-example.ts:18:58 - error TS2448: Block-scoped variable 'repository' used before its declaration.
 
18 const repository = imagebuilder_alpha.Repository.fromEcr(repository);
~~~~~~~~~~
 
@aws-cdk.aws-imagebuilder-alpha.Repository-example.ts:18:7
18 const repository = imagebuilder_alpha.Repository.fromEcr(repository);
~~~~~~~~~~
'repository' is declared here.
@aws-cdk.aws-imagebuilder-alpha.Repository-example.ts:18:58 - error TS2454: Variable 'repository' is used before being assigned.
 
18 const repository = imagebuilder_alpha.Repository.fromEcr(repository);
```
@ozelalisen
revert(imagebuilder-alpha): add support for Component Construct (#36104)
689ad05 
Reverts #36006 as it caused JSII errors that is coming from https://github.com/cdklabs/cdk-generate-synthetic-examples
```

@aws-cdk.aws-imagebuilder-alpha.ComponentDocumentPhase-example.ts:9:1 - error TS7005: Variable 'declare' implicitly has an 'any' type.
--
 
9 declare const inputs: any;
~~~~~~~
@aws-cdk.aws-imagebuilder-alpha.ComponentDocumentPhase-example.ts:9:9 - error TS1005: ',' expected.
 
9 declare const inputs: any;
~~~~~
@aws-cdk.aws-imagebuilder-alpha.ComponentDocumentPhase-example.ts:18:4 - error TS1005: '(' expected.
 
18  if: any;
~
@aws-cdk.aws-imagebuilder-alpha.ComponentDocumentPhase-example.ts:18:6 - error TS2693: 'any' only refers to a type, but is being used as a value here.
 
18  if: any;
~~~
@aws-cdk.aws-imagebuilder-alpha.ComponentDocumentPhase-example.ts:27:9 - error TS1109: Expression expected.
 
27     if: if,
~~
@aws-cdk.aws-imagebuilder-alpha.ComponentDocumentPhase-example.ts:27:11 - error TS1005: ':' expected.
 
27     if: if,
~
@aws-cdk.aws-imagebuilder-alpha.ComponentDocumentStep-example.ts:9:1 - error TS7005: Variable 'declare' implicitly has an 'any' type.
 
9 declare const inputs: any;
~~~~~~~
@aws-cdk.aws-imagebuilder-alpha.ComponentDocumentStep-example.ts:9:9 - error TS1005: ',' expected.
 
9 declare const inputs: any;
~~~~~
@aws-cdk.aws-imagebuilder-alpha.ComponentDocumentStep-example.ts:18:4 - error TS1005: '(' expected.
 
18  if: any;
~
@aws-cdk.aws-imagebuilder-alpha.ComponentDocumentStep-example.ts:18:6 - error TS2693: 'any' only refers to a type, but is being used as a value here.
 
18  if: any;
~~~
@aws-cdk.aws-imagebuilder-alpha.ComponentDocumentStep-example.ts:25:7 - error TS1109: Expression expected.
 
25   if: if,
~~
@aws-cdk.aws-imagebuilder-alpha.ComponentDocumentStep-example.ts:25:9 - error TS1005: ':' expected.
 
25   if: if,
~


```
@mazyu36
fix(bedrock-agentcore-alpha): fix unexpected validation error when pr…
084b736 
…operties are Token (#35978)

### Issue # (if applicable)

N/A

### Reason for this change

Some Validation logics were throwing unexpected errors when properties are defined as CDK `Token` types. 
`string` or `number` may be `Token`.

### Description of changes

- Added `Token` type checking before property validation
- Added test cases for `Token` properties to verify not throwing errors.

### Describe any new or updated permissions being added

N/A

### Description of how you validated changes
Added unit tests to verify `Token` properties bypass validation


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@kg-aws
docs(ecs): added note for work around from LaunchType to CapacityProv…
3d0bf5c 
…i… (#36088)

### Issue # (if applicable)

Closes #35742 

### Reason for this change



### Description of changes

- Corrected the doc to use `FargateService` when using Managed Instances CapacityProvider.
- Added a work around for migrating existing service with LaunchType to use Managed Instances CapacityProvider without replacement.

### Describe any new or updated permissions being added




### Description of how you validated changes



### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@mazyu36
chore(bedrock-alpha): add Claude 4 models and missing Cross region in…
c2add2b 
…ference profile (#35908)

### Issue # (if applicable)

N/A
### Reason for this change
Although L2 Construct of bedrock-agentcore has been released, in the bedrock-alpha inference profiles that can be utilized within it, the definitions for Anthropic's latest Claude 4 Family and its associated cross-region inference profiles are missing.


### Description of changes
* Add Claude 4 models
* Add missing Cross Region Inferences Profile supported in Claude 4 family.



### Describe any new or updated permissions being added
N/A



### Description of how you validated changes
Tests are not added because only enums are added.


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@go-to-k
docs(agentcore): add documentation for granting permissions to invoke…
1413892 
… models (#35902)

### Issue # (if applicable)

Related: #35853

### Reason for this change



The current documentation makes it unclear that users need to explicitly grant permissions to invoke Bedrock models.

see comments in threads: #35850

### Description of changes

Create an additional section for granting permissions.



### Describe any new or updated permissions being added




### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@tarunb12
feat(imagebuilder-alpha): add support for Distribution Configuration …
6051039 
…Construct (#36108)

### Reason for this change

Reapplying #36005, following revert in 36103. Adds JSDoc examples in `Repository` where it was causing issues.

### Describe any new or updated permissions being added

N/A

### Description of how you validated changes

Built locally, tests are passing

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@tarunb12
feat(imagebuilder-alpha): add support for Component Construct (#36107)
93a76e4 
### Reason for this change

Reapplying #36006, following revert in #36104. Adds JSDoc examples in the places that it was causing issues

### Describe any new or updated permissions being added

N/A


### Description of how you validated changes

Built locally, tests are passing

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@otaviomacedo
feat(s3): add BucketGrants (#36102)
5891172 
Create a new class, `BucketGrants`, that has all the grants methods, and delegate the `grant*()` methods in `BucketBase` to it.

**Note**: `grantPublicAccess()` first validates that it is allowed to proceed by checking the `disallowPublicAccess` protected property. To move this logic over to a new class, it was necessary to make `disallowPublicAccess` public. Since it was only set during instantiation and was protected, it was effectively immutable from the outside. But we can't make it immutable because this would be considered a backwards incompatible change. On the other hand, there is not harm. Users can disallow public access at any moment now, instead of just at creation of the object. For `CfnBucket`, granting public access will always be allowed.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@mrgrain
chore(core): add parseAnalytics function for debugging (#36125)
8df9b06 
### Reason for this change

It always bothered me that we don't have an easy way of converting a template analytics string back for debugging.
This PR adds a debugging utility to decode analytics strings back into readable ConstructInfo objects.

### Description of changes

- Added `parseAnalytics()` function that reverses the `formatAnalytics()` encoding
- Added `parsePrefixEncodedList()` helper to decode the trie structure
- Added `trieToConstructInfos()` to convert trie back to ConstructInfo array
- Added comprehensive tests verifying parseAnalytics is the inverse of formatAnalytics

The implementation handles the v2:deflate64 format by base64 decoding, gunzipping, and parsing the prefix-encoded trie structure.

### Describe any new or updated permissions being added

None

### Description of how you validated changes

Added unit tests covering:
- Single construct parsing
- Multiple constructs with same version
- Nested module constructs
- Different versions

All tests verify that `parseAnalytics(formatAnalytics(x)) === x`

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@dineshSajwan
feat(agentcore): agentcore gateway L2 construct (#35771)
07c4a0d 
### Issue # (if applicable)

Related to aws/aws-cdk-rfcs#785

### Reason for this change

Adding bedrock agent core gateway and gateway target


### Description of changes

- Added a new L2 construct for agentcore gateway
- Added a new L2 construct for agentcore gateway target
- Added validation helper methods, convenience method  like addLambdaTarget, addOpenApiTarget, and other static methods.
- Added integ and unit test cases

### Describe any new or updated permissions being added

The gateway creates a role with permission to bedrock agentcore , s3 


### Description of how you validated changes

Unit tests, integration tests, manual tests


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@otaviomacedo
feat: factory methods for Grants made public (#36123)
f9a894f 
The `<Resource>Grants._from<Resource>()` methods were marked as internal while we experimented with the interface. Make them public.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@leonmk-aws
feat(core): cfn constructs (L1s) can now accept constructs as paramet…
6be7b4b 
…ers for known resource relationships (#35838)

### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change
Reintroduces #35713

### Description of changes
#### This generates code that looks like this for non nested properties:
In the properties:
`readonly role: IamIRoleRef | string;`

This is then used in the constructor:
```
this.role = (props.role as IamIRoleRef)?.roleRef?.roleArn ?? cdk.ensureStringOrUndefined(props.role, "role", "iam.IRoleRef | string");
```
If there were multiple possible IxxRef:
```
"targetArn": (props.targetArn as SqsIQueueRef)?.queueRef?.queueArn ?? (props.targetArn as SnsITopicRef)?.topicRef?.topicArn ?? cdk.ensureStringOrUndefined(props.targetArn, "targetArn", "sqs.IQueueRef | sns.ITopicRef | string")
```

#### For arrays
```
this.layers = (props.layers?.forEach((item: ILayerVersionRef | string, i: number, arr: Array<ILayerVersionRef | string>) => { arr[i] = (item as ILayerVersionRef)?.layerVersionRef?.layerVersionArn ?? cdk.ensureStringOrUndefined(item, "layers", "lambda.ILayerVersionRef | string"); }), props.layers as Array<string>);
```

### Nested properties are currently disabled as they are backwards incompatible in the state of this PR
#### For nested properties
The props behave the same way, "flatten" functions are generated to recursively perform the same role that was done in the constructor for non nested properties:
```
function flattenCfnFunctionCodeProperty(props: CfnFunction.CodeProperty | cdk.IResolvable): CfnFunction.CodeProperty | cdk.IResolvable {
  if (cdk.isResolvableObject(props)) return props;
  return {
    "imageUri": props.imageUri,
    "s3Bucket": (props.s3Bucket as S3IBucketRef)?.bucketRef?.bucketName ?? cdk.ensureStringOrUndefined(props.s3Bucket, "s3Bucket", "s3.IBucketRef | string"),
    "s3Key": props.s3Key,
    "s3ObjectVersion": props.s3ObjectVersion,
    "sourceKmsKeyArn": props.sourceKmsKeyArn,
    "zipFile": props.zipFile
  };
}
```

#### For arrays of nested props:
```
(cdk.isResolvableObject(props.fileSystemConfigs) ? props.fileSystemConfigs : (!props.fileSystemConfigs ? undefined : props.fileSystemConfigs.forEach((item: any, i: number, arr: any[]) => { arr[i] = flattenCfnFunctionFileSystemConfigProperty(item) }), props.fileSystemConfigs));


```

### Description of how you validated changes
- Checked the diffs between the previously generated code and the new one.
- Added snapshot tests
- Added unit tests for lambda
- Deployed a stack manually consisting of mixes of L1 and L2 resources using the new capabilities this PR adds

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@mergify
Merge branch 'main' into merge-back/2.226.0
9d20e8d
@mergify
chore(merge-back): 2.226.0 (#36133)
b9a5816 
See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.226.0/CHANGELOG.md)
@otaviomacedo
chore: update Grants section (#36132)
8bc8795 
Update the Grants section of the design guidelines with the new instructions on how to create Grants classes.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@aws-cdk-automation
feat: update L1 CloudFormation resource definitions (#36122)
51d805e 
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

**L1 CloudFormation resource definition changes:**
```
├[~] service alexa-ask
│ └ resources
│    └[~]  resource Alexa::ASK::Skill
│       └ types
│          └[~] type SkillPackage
│            └ properties
│               └ S3BucketRole: (documentation changed)
├[~] service aws-aiops
│ └ resources
│    └[~]  resource AWS::AIOps::InvestigationGroup
│       ├ properties
│       │  ├ ChatbotNotificationChannels: (documentation changed)
│       │  └ EncryptionConfig: (documentation changed)
│       └ types
│          ├[~] type ChatbotNotificationChannel
│          │ └ properties
│          │    └ SNSTopicArn: (documentation changed)
│          └[~] type EncryptionConfigMap
│            └      - documentation: Use this structure if you want to use a customer managed AWS KMS key to encrypt your investigation data. If you omit this parameter, CloudWatch investigations will use an AWS key to encrypt the data. For more information, see [Encryption of investigation data](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-KMS) .
│                   + documentation: Use this structure if you want to use a customer managed AWS  key to encrypt your investigation data. If you omit this parameter, CloudWatch investigations will use an AWS key to encrypt the data. For more information, see [Encryption of investigation data](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-KMS) .
├[~] service aws-amazonmq
│ └ resources
│    └[~]  resource AWS::AmazonMQ::Broker
│       └ types
│          └[~] type EncryptionOptions
│            └ properties
│               ├ KmsKeyId: (documentation changed)
│               └ UseAwsOwnedKey: (documentation changed)
├[~] service aws-amplify
│ └ resources
│    └[~]  resource AWS::Amplify::Branch
│       ├ properties
│       │  └ Backend: (documentation changed)
│       └ types
│          └[~] type Backend
│            └ properties
│               └ StackArn: (documentation changed)
├[~] service aws-apigateway
│ └ resources
│    ├[~]  resource AWS::ApiGateway::ApiKey
│    │  └ properties
│    │     └ Name: (documentation changed)
│    ├[~]  resource AWS::ApiGateway::DomainName
│    │  └ properties
│    │     └ SecurityPolicy: (documentation changed)
│    ├[~]  resource AWS::ApiGateway::DomainNameV2
│    │  └ properties
│    │     └ SecurityPolicy: (documentation changed)
│    └[~]  resource AWS::ApiGateway::Model
│       └ properties
│          └ Name: (documentation changed)
├[~] service aws-appconfig
│ └ resources
│    └[~]  resource AWS::AppConfig::ConfigurationProfile
│       └ attributes
│          └ KmsKeyArn: (documentation changed)
├[~] service aws-appflow
│ └ resources
│    ├[~]  resource AWS::AppFlow::ConnectorProfile
│    │  └      - documentation: The `AWS::AppFlow::ConnectorProfile` resource is an Amazon AppFlow resource type that specifies the configuration profile for an instance of a connector. This includes the provided name, credentials ARN, connection-mode, and so on. The fields that are common to all types of connector profiles are explicitly specified under the `Properties` field. The rest of the connector-specific properties are specified under `Properties/ConnectorProfileConfig` .
│    │         > If you want to use AWS CloudFormation to create a connector profile for connectors that implement OAuth (such as Salesforce, Slack, Zendesk, and Google Analytics), you must fetch the access and refresh tokens. You can do this by implementing your own UI for OAuth, or by retrieving the tokens from elsewhere. Alternatively, you can use the Amazon AppFlow console to create the connector profile, and then use that connector profile in the flow creation CloudFormation template.
│    │         + documentation: The `AWS::AppFlow::ConnectorProfile` resource is an Amazon AppFlow resource type that specifies the configuration profile for an instance of a connector. This includes the provided name, credentials ARN, connection-mode, and so on. The fields that are common to all types of connector profiles are explicitly specified under the `Properties` field. The rest of the connector-specific properties are specified under `Properties/ConnectorProfileConfig` .
│    │         > If you want to use CloudFormation to create a connector profile for connectors that implement OAuth (such as Salesforce, Slack, Zendesk, and Google Analytics), you must fetch the access and refresh tokens. You can do this by implementing your own UI for OAuth, or by retrieving the tokens from elsewhere. Alternatively, you can use the Amazon AppFlow console to create the connector profile, and then use that connector profile in the flow creation CloudFormation template.
│    └[~]  resource AWS::AppFlow::Flow
│       └      - documentation: The `AWS::AppFlow::Flow` resource is an Amazon AppFlow resource type that specifies a new flow.
│              > If you want to use AWS CloudFormation to create a connector profile for connectors that implement OAuth (such as Salesforce, Slack, Zendesk, and Google Analytics), you must fetch the access and refresh tokens. You can do this by implementing your own UI for OAuth, or by retrieving the tokens from elsewhere. Alternatively, you can use the Amazon AppFlow console to create the connector profile, and then use that connector profile in the flow creation CloudFormation template.
│              + documentation: The `AWS::AppFlow::Flow` resource is an Amazon AppFlow resource type that specifies a new flow.
│              > If you want to use CloudFormation to create a connector profile for connectors that implement OAuth (such as Salesforce, Slack, Zendesk, and Google Analytics), you must fetch the access and refresh tokens. You can do this by implementing your own UI for OAuth, or by retrieving the tokens from elsewhere. Alternatively, you can use the Amazon AppFlow console to create the connector profile, and then use that connector profile in the flow creation CloudFormation template.
├[~] service aws-apprunner
│ └ resources
│    ├[~]  resource AWS::AppRunner::ObservabilityConfiguration
│    │  └ properties
│    │     └ ObservabilityConfigurationName: (documentation changed)
│    ├[~]  resource AWS::AppRunner::Service
│    │  └ properties
│    │     └ ServiceName: (documentation changed)
│    └[~]  resource AWS::AppRunner::VpcConnector
│       └ properties
│          └ VpcConnectorName: (documentation changed)
├[~] service aws-appstream
│ └ resources
│    └[~]  resource AWS::AppStream::Fleet
│       ├ properties
│       │  └[+] RootVolumeConfig: VolumeConfig
│       └ types
│          └[+]  type VolumeConfig
│             ├      name: VolumeConfig
│             └ properties
│                └ VolumeSizeInGb: integer
├[~] service aws-appsync
│ └ resources
│    └[~]  resource AWS::AppSync::FunctionConfiguration
│       └      - documentation: The `AWS::AppSync::FunctionConfiguration` resource defines the functions in GraphQL APIs to perform certain operations. You can use pipeline resolvers to attach functions. For more information, see [Pipeline Resolvers](https://docs.aws.amazon.com/appsync/latest/devguide/pipeline-resolvers.html) in the *AWS AppSync Developer Guide* .
│              > When you submit an update, AWS CloudFormation updates resources based on differences between what you submit and the stack's current template. To cause this resource to be updated you must change a property value for this resource in the AWS CloudFormation template. Changing the Amazon S3 file content without changing a property value will not result in an update operation.
│              > 
│              > See [Update Behaviors of Stack Resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html) in the *AWS CloudFormation User Guide* .
│              + documentation: The `AWS::AppSync::FunctionConfiguration` resource defines the functions in GraphQL APIs to perform certain operations. You can use pipeline resolvers to attach functions. For more information, see [Pipeline Resolvers](https://docs.aws.amazon.com/appsync/latest/devguide/pipeline-resolvers.html) in the *AWS AppSync Developer Guide* .
│              > When you submit an update, AWS CloudFormation updates resources based on differences between what you submit and the stack's current template. To cause this resource to be updated you must change a property value for this resource in the CloudFormation template. Changing the Amazon S3 file content without changing a property value will not result in an update operation.
│              > 
│              > See [Update Behaviors of Stack Resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html) in the *AWS CloudFormation User Guide* .
├[~] service aws-aps
│ └ resources
│    ├[~]  resource AWS::APS::ResourcePolicy
│    │  └      - documentation: Use resource-based policies to grant permissions to other AWS accounts or services to access your workspace.
│    │         Only Prometheus-compatible APIs can be used for workspace sharing. You can add non-Prometheus-compatible APIs to the policy, but they will be ignored. For more information, see [Prometheus-compatible APIs](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-APIReference-Prometheus-Compatible-Apis.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    │         If your workspace uses customer-managed AWS KMS keys for encryption, you must grant the principals in your resource-based policy access to those AWS KMS keys. You can do this by creating AWS KMS grants. For more information, see [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) in the *AWS KMS API Reference* and [Encryption at rest](https://docs.aws.amazon.com/prometheus/latest/userguide/encryption-at-rest-Amazon-Service-Prometheus.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    │         For more information about working with IAM , see [Using Amazon Managed Service for Prometheus with IAM](https://docs.aws.amazon.com/prometheus/latest/userguide/security_iam_service-with-iam.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    │         + documentation: Use resource-based policies to grant permissions to other AWS accounts or services to access your workspace.
│    │         Only Prometheus-compatible APIs can be used for workspace sharing. You can add non-Prometheus-compatible APIs to the policy, but they will be ignored. For more information, see [Prometheus-compatible APIs](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-APIReference-Prometheus-Compatible-Apis.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    │         If your workspace uses customer-managed AWS  keys for encryption, you must grant the principals in your resource-based policy access to those AWS  keys. You can do this by creating AWS  grants. For more information, see [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) in the *AWS  API Reference* and [Encryption at rest](https://docs.aws.amazon.com/prometheus/latest/userguide/encryption-at-rest-Amazon-Service-Prometheus.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    │         For more information about working with IAM , see [Using Amazon Managed Service for Prometheus with IAM](https://docs.aws.amazon.com/prometheus/latest/userguide/security_iam_service-with-iam.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    ├[~]  resource AWS::APS::Scraper
│    │  └ vendedLogs
│    │     └[+] vendedLogs
│    │       ├permissionsVersion: V1
│    │       ├logTypes: [APPLICATION_LOGS]
│    │       └destinations: [S3, CWL, FH]
│    └[~]  resource AWS::APS::Workspace
│       ├ properties
│       │  └ KmsKeyArn: (documentation changed)
│       └ vendedLogs
│          └[+] vendedLogs
│            ├permissionsVersion: V1
│            ├logTypes: [MANAGED_PROMETHEUS_LOGS]
│            └destinations: [S3, CWL, FH]
├[~] service aws-b2bi
│ └ resources
│    └[~]  resource AWS::B2BI::Transformer
│       └ vendedLogs
│          └[+] vendedLogs
│            ├permissionsVersion: V1
│            ├logTypes: [B2BI_EXECUTION_LOGS]
│            └destinations: [S3, CWL, FH]
├[~] service aws-backup
│ └ resources
│    ├[~]  resource AWS::Backup::BackupPlan
│    │  └      - documentation: Contains an optional backup plan display name and an array of `BackupRule` objects, each of which specifies a backup rule. Each rule in a backup plan is a separate scheduled task and can back up a different selection of AWS resources.
│    │         For a sample AWS CloudFormation template, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html#assigning-resources-cfn) .
│    │         + documentation: Contains an optional backup plan display name and an array of `BackupRule` objects, each of which specifies a backup rule. Each rule in a backup plan is a separate scheduled task and can back up a different selection of AWS resources.
│    │         For a sample CloudFormation template, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html#assigning-resources-cfn) .
│    ├[~]  resource AWS::Backup::BackupSelection
│    │  └      - documentation: Specifies a set of resources to assign to a backup plan.
│    │         For a sample AWS CloudFormation template, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html#assigning-resources-cfn) .
│    │         + documentation: Specifies a set of resources to assign to a backup plan.
│    │         For a sample CloudFormation template, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html#assigning-resources-cfn) .
│    ├[~]  resource AWS::Backup::BackupVault
│    │  └      - documentation: Creates a logical container where backups are stored. A `CreateBackupVault` request includes a name, optionally one or more resource tags, an encryption key, and a request ID.
│    │         Do not include sensitive data, such as passport numbers, in the name of a backup vault.
│    │         For a sample AWS CloudFormation template, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html#assigning-resources-cfn) .
│    │         + documentation: Creates a logical container where backups are stored. A `CreateBackupVault` request includes a name, optionally one or more resource tags, an encryption key, and a request ID.
│    │         Do not include sensitive data, such as passport numbers, in the name of a backup vault.
│    │         For a sample CloudFormation template, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html#assigning-resources-cfn) .
│    ├[~]  resource AWS::Backup::Framework
│    │  └      - documentation: Creates a framework with one or more controls. A framework is a collection of controls that you can use to evaluate your backup practices. By using pre-built customizable controls to define your policies, you can evaluate whether your backup practices comply with your policies and which resources are not yet in compliance.
│    │         For a sample AWS CloudFormation template, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/bam-cfn-integration.html#bam-cfn-frameworks-template) .
│    │         + documentation: Creates a framework with one or more controls. A framework is a collection of controls that you can use to evaluate your backup practices. By using pre-built customizable controls to define your policies, you can evaluate whether your backup practices comply with your policies and which resources are not yet in compliance.
│    │         For a sample CloudFormation template, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/bam-cfn-integration.html#bam-cfn-frameworks-template) .
│    ├[~]  resource AWS::Backup::LogicallyAirGappedBackupVault
│    │  ├ properties
│    │  │  └[+] EncryptionKeyArn: string (immutable)
│    │  └ attributes
│    │     └[-] EncryptionKeyArn: string
│    └[~]  resource AWS::Backup::ReportPlan
│       └      - documentation: Creates a report plan. A report plan is a document that contains information about the contents of the report and where AWS Backup will deliver it.
│              If you call `CreateReportPlan` with a plan that already exists, you receive an `AlreadyExistsException` exception.
│              For a sample AWS CloudFormation template, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html#assigning-resources-cfn) .
│              + documentation: Creates a report plan. A report plan is a document that contains information about the contents of the report and where AWS Backup will deliver it.
│              If you call `CreateReportPlan` with a plan that already exists, you receive an `AlreadyExistsException` exception.
│              For a sample CloudFormation template, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html#assigning-resources-cfn) .
├[~] service aws-backupgateway
│ └ resources
│    └[~]  resource AWS::BackupGateway::Hypervisor
│       └ vendedLogs
│          └[+] vendedLogs
│            ├permissionsVersion: V1
│            ├logTypes: [BGW_HYPERVISOR_LOGS, DATA_ACCESS_LOGS]
│            └destinations: [S3, CWL, FH]
├[~] service aws-batch
│ └ resources
│    └[~]  resource AWS::Batch::ComputeEnvironment
│       └ types
│          └[~] type ComputeResources
│            └ properties
│               └ Type: (documentation changed)
├[~] service aws-bedrock
│ └ resources
│    ├[~]  resource AWS::Bedrock::Agent
│    │  ├ properties
│    │  │  └ CustomerEncryptionKeyArn: (documentation changed)
│    │  └ vendedLogs
│    │     └[+] vendedLogs
│    │       ├permissionsVersion: V2
│    │       ├logTypes: [APPLICATION_LOGS]
│    │       └destinations: [S3, CWL, FH]
│    ├[~]  resource AWS::Bedrock::AgentAlias
│    │  └ vendedLogs
│    │     └[+] vendedLogs
│    │       ├permissionsVersion: V2
│    │       ├logTypes: [EVENT_LOGS]
│    │       └destinations: [S3, CWL, FH]
│    ├[~]  resource AWS::Bedrock::Blueprint
│    │  └ properties
│    │     └ KmsKeyId: (documentation changed)
│    ├[~]  resource AWS::Bedrock::DataAutomationProject
│    │  ├ properties
│    │  │  ├ KmsEncryptionContext: (documentation changed)
│    │  │  └ KmsKeyId: (documentation changed)
│    │  └ types
│    │     ├[+]  type AudioLanguageConfiguration
│    │     │  ├      name: AudioLanguageConfiguration
│    │     │  └ properties
│    │     │     ├ InputLanguages: Array<string>
│    │     │     ├ GenerativeOutputLanguage: string
│    │     │     └ IdentifyMultipleLanguages: boolean
│    │     └[~] type AudioOverrideConfiguration
│    │       └ properties
│    │          └[+] LanguageConfiguration: AudioLanguageConfiguration
│    ├[~]  resource AWS::Bedrock::DataSource
│    │  └ types
│    │     └[~] type ServerSideEncryptionConfiguration
│    │       └ properties
│    │          └ KmsKeyArn: (documentation changed)
│    ├[~]  resource AWS::Bedrock::Flow
│    │  └ vendedLogs
│    │     └[+] vendedLogs
│    │       ├permissionsVersion: V2
│    │       ├logTypes: [APPLICATION_LOGS]
│    │       └destinations: [S3, CWL, FH]
│    ├[~]  resource AWS::Bedrock::Guardrail
│    │  └ properties
│    │     └ KmsKeyArn: (documentation changed)
│    └[~]  resource AWS::Bedrock::KnowledgeBase
│       ├      - documentation: Specifies a knowledge base as a resource in a top-level template. Minimally, you must specify the following properties:
│       │      - Name – Specify a name for the knowledge base.
│       │      - RoleArn – Specify the Amazon Resource Name (ARN) of the IAM role with permissions to invoke API operations on the knowledge base. For more information, see [Create a service role for Knowledge base for Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html) .
│       │      - KnowledgeBaseConfiguration – Specify the embeddings configuration of the knowledge base. The following sub-properties are required:
│       │      - Type – Specify the value `VECTOR` .
│       │      - StorageConfiguration – Specify information about the vector store in which the data source is stored. The following sub-properties are required:
│       │      - Type – Specify the vector store service that you are using.
│       │      > Redis Enterprise Cloud vector stores are currently unsupported in AWS CloudFormation .
│       │      For more information about using knowledge bases in Amazon Bedrock , see [Knowledge base for Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base.html) .
│       │      See the *Properties* section below for descriptions of both the required and optional properties.
│       │      + documentation: Specifies a knowledge base as a resource in a top-level template. Minimally, you must specify the following properties:
│       │      - Name – Specify a name for the knowledge base.
│       │      - RoleArn – Specify the Amazon Resource Name (ARN) of the IAM role with permissions to invoke API operations on the knowledge base. For more information, see [Create a service role for Knowledge base for Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html) .
│       │      - KnowledgeBaseConfiguration – Specify the embeddings configuration of the knowledge base. The following sub-properties are required:
│       │      - Type – Specify the value `VECTOR` .
│       │      - StorageConfiguration – Specify information about the vector store in which the data source is stored. The following sub-properties are required:
│       │      - Type – Specify the vector store service that you are using.
│       │      > Redis Enterprise Cloud vector stores are currently unsupported in CloudFormation .
│       │      For more information about using knowledge bases in Amazon Bedrock , see [Knowledge base for Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base.html) .
│       │      See the *Properties* section below for descriptions of both the required and optional properties.
│       └ vendedLogs
│          └[+] vendedLogs
│            ├permissionsVersion: V2
│            ├logTypes: [APPLICATION_LOGS, RUNTIME_LOGS]
│            └destinations: [S3, CWL, FH]
├[~] service aws-bedrockagentcore
│ └ resources
│    ├[~]  resource AWS::BedrockAgentCore::Gateway
│    │  └ vendedLogs
│    │     └[+] vendedLogs
│    │       ├permissionsVersion: V2
│    │       ├logTypes: [APPLICATION_LOGS, TRACES]
│    │       └destinations: [S3, CWL, FH, XRAY]
│    ├[~]  resource AWS::BedrockAgentCore::Memory
│    │  └ vendedLogs
│    │     └[+] vendedLogs
│    │       ├permissionsVersion: V2
│    │       ├logTypes: [APPLICATION_LOGS, TRACES]
│    │       └destinations: [S3, CWL, FH, XRAY]
│    └[~]  resource AWS::BedrockAgentCore::Runtime
│       └ vendedLogs
│          └[+] vendedLogs
│            ├permissionsVersion: V2
│            ├logTypes: [APPLICATION_LOGS, TRACES, USAGE_LOGS]
│            └destinations: [S3, CWL, FH, XRAY]
├[~] service aws-billingconductor
│ └ resources
│    └[~]  resource AWS::BillingConductor::BillingGroup
│       ├ properties
│       │  └ PrimaryAccountId: - string (required, immutable)
│       │                      + string (immutable)
│       └ types
│          └[~] type AccountGrouping
│            └ properties
│               ├ LinkedAccountIds: - Array<string> (required)
│               │                   + Array<string>
│               └[+] ResponsibilityTransferArn: string
├[~] service aws-chatbot
│ └ resources
│    ├[~]  resource AWS::Chatbot::MicrosoftTeamsChannelConfiguration
│    │  └      - documentation: > AWS Chatbot is now  . [Learn more](https://docs.aws.amazon.com//chatbot/latest/adminguide/service-rename.html)
│    │         > 
│    │         > `Type` attribute values remain unchanged. 
│    │         The `AWS::Chatbot::MicrosoftTeamsChannelConfiguration` resource configures a Microsoft Teams channel to allow users to use  with AWS CloudFormation templates.
│    │         This resource requires some setup to be done in the  in chat applications console. To provide the required Microsoft Teams team and tenant IDs, you must perform the initial authorization flow with Microsoft Teams in the  in chat applications console, then copy and paste the IDs from the console. For more details, see steps 1-3 in [Get started with Microsoft Teams](https://docs.aws.amazon.com/chatbot/latest/adminguide/teams-setup.html#teams-client-setup) in the *in chat applications Administrator Guide* .
│    │         + documentation: > AWS Chatbot is now  . [Learn more](https://docs.aws.amazon.com//chatbot/latest/adminguide/service-rename.html)
│    │         > 
│    │         > `Type` attribute values remain unchanged. 
│    │         The `AWS::Chatbot::MicrosoftTeamsChannelConfiguration` resource configures a Microsoft Teams channel to allow users to use  with CloudFormation templates.
│    │         This resource requires some setup to be done in the  in chat applications console. To provide the required Microsoft Teams team and tenant IDs, you must perform the initial authorization flow with Microsoft Teams in the  in chat applications console, then copy and paste the IDs from the console. For more details, see steps 1-3 in [Get started with Microsoft Teams](https://docs.aws.amazon.com/chatbot/latest/adminguide/teams-setup.html#teams-client-setup) in the *in chat applications Administrator Guide* .
│    └[~]  resource AWS::Chatbot::SlackChannelConfiguration
│       └      - documentation: > AWS Chatbot is now  . [Learn more](https://docs.aws.amazon.com//chatbot/latest/adminguide/service-rename.html)
│              > 
│              > `Type` attribute values remain unchanged. 
│              The `AWS::Chatbot::SlackChannelConfiguration` resource configures a Slack channel to allow users to use  with AWS CloudFormation templates.
│              This resource requires some setup to be done in the  in chat applications console. To provide the required Slack workspace ID, you must perform the initial authorization flow with Slack in the  in chat applications console, then copy and paste the workspace ID from the console. For more details, see steps 1-3 in [Tutorial: Get started with Slack](https://docs.aws.amazon.com/chatbot/latest/adminguide/slack-setup.html#slack-client-setup) in the *in chat applications User Guide* .
│              + documentation: > AWS Chatbot is now  . [Learn more](https://docs.aws.amazon.com//chatbot/latest/adminguide/service-rename.html)
│              > 
│              > `Type` attribute values remain unchanged. 
│              The `AWS::Chatbot::SlackChannelConfiguration` resource configures a Slack channel to allow users to use  with CloudFormation templates.
│              This resource requires some setup to be done in the  in chat applications console. To provide the required Slack workspace ID, you must perform the initial authorization flow with Slack in the  in chat applications console, then copy and paste the workspace ID from the console. For more details, see steps 1-3 in [Tutorial: Get started with Slack](https://docs.aws.amazon.com/chatbot/latest/adminguide/slack-setup.html#slack-client-setup) in the *in chat applications User Guide* .
├[~] service aws-cleanrooms
│ └ resources
│    └[~]  resource AWS::CleanRooms::Membership
│       └ vendedLogs
│          └[+] vendedLogs
│            ├permissionsVersion: V1
│            ├logTypes: [ANALYSIS_LOGS]
│            └destinations: [S3, CWL, FH]
├[~] service aws-cloudformation
│ └ resources
│    ├[~]  resource AWS::CloudFormation::CustomResource
│    │  ├      - documentation: The `AWS::CloudFormation::CustomResource` resource creates a custom resource. Custom resources provide a way for you to write custom provisioning logic into your CloudFormation templates and have CloudFormation run it anytime you create, update (if you changed the custom resource), or delete a stack.
│    │  │      For more information, see [Create custom provisioning logic with custom resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html) in the *AWS CloudFormation User Guide* .
│    │  │      > If you use AWS PrivateLink , custom resources in the VPC must have access to CloudFormation -specific Amazon S3 buckets. Custom resources must send responses to a presigned Amazon S3 URL. If they can't send responses to Amazon S3 , CloudFormation won't receive a response and the stack operation fails. For more information, see [Access CloudFormation using an interface endpoint ( AWS PrivateLink )](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/vpc-interface-endpoints.html) in the *AWS CloudFormation User Guide* .
│    │  │      + documentation: The `AWS::CloudFormation::CustomResource` resource creates a custom resource. Custom resources provide a way for you to write custom provisioning logic into your CloudFormation templates and have CloudFormation run it anytime you create, update (if you changed the custom resource), or delete a stack.
│    │  │      For more information, see [Create custom provisioning logic with custom resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html) in the *CloudFormation User Guide* .
│    │  │      > If you use AWS PrivateLink , custom resources in the VPC must have access to CloudFormation -specific Amazon S3 buckets. Custom resources must send responses to a presigned Amazon S3 URL. If they can't send responses to Amazon S3 , CloudFormation won't receive a response and the stack operation fails. For more information, see [Access CloudFormation using an interface endpoint ( AWS PrivateLink )](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/vpc-interface-endpoints.html) in the *CloudFormation User Guide* .
│    │  └ properties
│    │     └ ServiceToken: (documentation changed)
│    ├[~]  resource AWS::CloudFormation::GuardHook
│    │  ├      - documentation: The `AWS::CloudFormation::GuardHook` resource creates and activates a Guard Hook. Using the Guard domain specific language (DSL), you can author Guard Hooks to evaluate your resources before allowing stack operations.
│    │  │      For more information, see [Guard Hooks](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/guard-hooks.html) in the *AWS CloudFormation Hooks User Guide* .
│    │  │      + documentation: The `AWS::CloudFormation::GuardHook` resource creates and activates a Guard Hook. Using the Guard domain specific language (DSL), you can author Guard Hooks to evaluate your resources before allowing stack operations.
│    │  │      For more information, see [Guard Hooks](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/guard-hooks.html) in the *CloudFormation Hooks User Guide* .
│    │  ├ properties
│    │  │  └ TargetOperations: (documentation changed)
│    │  └ types
│    │     ├[~] type StackFilters
│    │     │ └      - documentation: The `StackFilters` property type specifies stack level filters for a Hook.
│    │     │        The `StackNames` or `StackRoles` properties are optional. However, you must specify at least one of these properties.
│    │     │        For more information, see [AWS CloudFormation Hooks stack level filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-stack-level-filtering.html) .
│    │     │        + documentation: The `StackFilters` property type specifies stack level filters for a Hook.
│    │     │        The `StackNames` or `StackRoles` properties are optional. However, you must specify at least one of these properties.
│    │     │        For more information, see [CloudFormation Hooks stack level filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-stack-level-filtering.html) .
│    │     ├[~] type StackNames
│    │     │ └      - documentation: Specifies the stack names for the `StackFilters` property type to include or exclude specific stacks from Hook invocations.
│    │     │        For more information, see [AWS CloudFormation Hooks stack level filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-stack-level-filtering.html) .
│    │     │        + documentation: Specifies the stack names for the `StackFilters` property type to include or exclude specific stacks from Hook invocations.
│    │     │        For more information, see [CloudFormation Hooks stack level filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-stack-level-filtering.html) .
│    │     ├[~] type StackRoles
│    │     │ └      - documentation: Specifies the stack roles for the `StackFilters` property type to include or exclude specific stacks from Hook invocations based on their associated IAM roles.
│    │     │        For more information, see [AWS CloudFormation Hooks stack level filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-stack-level-filtering.html) .
│    │     │        + documentation: Specifies the stack roles for the `StackFilters` property type to include or exclude specific stacks from Hook invocations based on their associated IAM roles.
│    │     │        For more information, see [CloudFormation Hooks stack level filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-stack-level-filtering.html) .
│    │     └[~] type TargetFilters
│    │       └      - documentation: The `TargetFilters` property type specifies the target filters for the Hook.
│    │              For more information, see [AWS CloudFormation Hook target filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-target-filtering.html) .
│    │              + documentation: The `TargetFilters` property type specifies the target filters for the Hook.
│    │              For more information, see [CloudFormation Hook target filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-target-filtering.html) .
│    ├[~]  resource AWS::CloudFormation::HookDefaultVersion
│    │  └      - documentation: The `AWS::CloudFormation::HookDefaultVersion` resource specifies the default version of a Hook. The default version of the Hook is used in CloudFormation operations for this AWS account and AWS Region .
│    │         For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *AWS CloudFormation User Guide* .
│    │         This resource type is not compatible with Guard and Lambda Hooks.
│    │         + documentation: The `AWS::CloudFormation::HookDefaultVersion` resource specifies the default version of a Hook. The default version of the Hook is used in CloudFormation operations for this AWS account and AWS Region .
│    │         For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *CloudFormation User Guide* .
│    │         This resource type is not compatible with Guard and Lambda Hooks.
│    ├[~]  resource AWS::CloudFormation::HookTypeConfig
│    │  └      - documentation: The `AWS::CloudFormation::HookTypeConfig` resource specifies the configuration of an activated Hook.
│    │         For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *AWS CloudFormation User Guide* .
│    │         + documentation: The `AWS::CloudFormation::HookTypeConfig` resource specifies the configuration of an activated Hook.
│    │         For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *CloudFormation User Guide* .
│    ├[~]  resource AWS::CloudFormation::HookVersion
│    │  ├      - documentation: The `AWS::CloudFormation::HookVersion` resource publishes new or first version of a Hook to the CloudFormation registry.
│    │  │      For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *AWS CloudFormation User Guide* .
│    │  │      This resource type is not compatible with Guard and Lambda Hooks.
│    │  │      + documentation: The `AWS::CloudFormation::HookVersion` resource publishes new or first version of a Hook to the CloudFormation registry.
│    │  │      For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *CloudFormation User Guide* .
│    │  │      This resource type is not compatible with Guard and Lambda Hooks.
│    │  └ properties
│    │     └ SchemaHandlerPackage: (documentation changed)
│    ├[~]  resource AWS::CloudFormation::LambdaHook
│    │  ├      - documentation: The `AWS::CloudFormation::LambdaHook` resource creates and activates a Lambda Hook. You can use a Lambda Hook to evaluate your resources before allowing stack operations. This resource forwards requests for resource evaluation to a Lambda function.
│    │  │      For more information, see [Lambda Hooks](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/lambda-hooks.html) in the *AWS CloudFormation Hooks User Guide* .
│    │  │      + documentation: The `AWS::CloudFormation::LambdaHook` resource creates and activates a Lambda Hook. You can use a Lambda Hook to evaluate your resources before allowing stack operations. This resource forwards requests for resource evaluation to a Lambda function.
│    │  │      For more information, see [Lambda Hooks](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/lambda-hooks.html) in the *CloudFormation Hooks User Guide* .
│    │  ├ properties
│    │  │  └ TargetOperations: (documentation changed)
│    │  └ types
│    │     ├[~] type StackFilters
│    │     │ └      - documentation: The `StackFilters` property type specifies stack level filters for a Hook.
│    │     │        The `StackNames` or `StackRoles` properties are optional. However, you must specify at least one of these properties.
│    │     │        For more information, see [AWS CloudFormation Hooks stack level filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-stack-level-filtering.html) .
│    │     │        + documentation: The `StackFilters` property type specifies stack level filters for a Hook.
│    │     │        The `StackNames` or `StackRoles` properties are optional. However, you must specify at least one of these properties.
│    │     │        For more information, see [CloudFormation Hooks stack level filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-stack-level-filtering.html) .
│    │     ├[~] type StackNames
│    │     │ └      - documentation: Specifies the stack names for the `StackFilters` property type to include or exclude specific stacks from Hook invocations.
│    │     │        For more information, see [AWS CloudFormation Hooks stack level filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-stack-level-filtering.html) .
│    │     │        + documentation: Specifies the stack names for the `StackFilters` property type to include or exclude specific stacks from Hook invocations.
│    │     │        For more information, see [CloudFormation Hooks stack level filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-stack-level-filtering.html) .
│    │     ├[~] type StackRoles
│    │     │ └      - documentation: Specifies the stack roles for the `StackFilters` property type to include or exclude specific stacks from Hook invocations based on their associated IAM roles.
│    │     │        For more information, see [AWS CloudFormation Hooks stack level filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-stack-level-filtering.html) .
│    │     │        + documentation: Specifies the stack roles for the `StackFilters` property type to include or exclude specific stacks from Hook invocations based on their associated IAM roles.
│    │     │        For more information, see [CloudFormation Hooks stack level filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-stack-level-filtering.html) .
│    │     └[~] type TargetFilters
│    │       └      - documentation: The `TargetFilters` property type specifies the target filters for the Hook.
│    │              For more information, see [AWS CloudFormation Hook target filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-target-filtering.html) .
│    │              + documentation: The `TargetFilters` property type specifies the target filters for the Hook.
│    │              For more information, see [CloudFormation Hook target filters](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-target-filtering.html) .
│    ├[~]  resource AWS::CloudFormation::Macro
│    │  └      - documentation: The `AWS::CloudFormation::Macro` resource is a CloudFormation resource type that creates a CloudFormation macro to perform custom processing on CloudFormation templates.
│    │         For more information, see [Perform custom processing on CloudFormation templates with template macros](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-macros.html) in the *AWS CloudFormation User Guide* .
│    │         + documentation: The `AWS::CloudFormation::Macro` resource is a CloudFormation resource type that creates a CloudFormation macro to perform custom processing on CloudFormation templates.
│    │         For more information, see [Perform custom processing on CloudFormation templates with template macros](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-macros.html) in the *CloudFormation User Guide* .
│    ├[~]  resource AWS::CloudFormation::ModuleDefaultVersion
│    │  └      - documentation: Specifies the default version of a module. The default version of the module will be used in CloudFormation operations for this account and Region.
│    │         For more information, see [Create reusable resource configurations that can be included across templates with CloudFormation modules](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/modules.html) in the *AWS CloudFormation User Guide* .
│    │         For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *AWS CloudFormation User Guide* .
│    │         + documentation: Specifies the default version of a module. The default version of the module will be used in CloudFormation operations for this account and Region.
│    │         For more information, see [Create reusable resource configurations that can be included across templates with CloudFormation modules](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/modules.html) in the *CloudFormation User Guide* .
│    │         For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *CloudFormation User Guide* .
│    ├[~]  resource AWS::CloudFormation::ModuleVersion
│    │  ├      - documentation: The `AWS::CloudFormation::ModuleVersion` resource registers the specified version of the module with the CloudFormation registry. Registering a module makes it available for use in CloudFormation templates in your AWS account and Region.
│    │  │      For more information, see [Create reusable resource configurations that can be included across templates with CloudFormation modules](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/modules.html) in the *CloudFormation User Guide* .
│    │  │      For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *AWS CloudFormation User Guide* .
│    │  │      + documentation: The `AWS::CloudFormation::ModuleVersion` resource registers the specified version of the module with the CloudFormation registry. Registering a module makes it available for use in CloudFormation templates in your AWS account and Region.
│    │  │      For more information, see [Create reusable resource configurations that can be included across templates with CloudFormation modules](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/modules.html) in the *CloudFormation User Guide* .
│    │  │      For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *CloudFormation User Guide* .
│    │  └ properties
│    │     └ ModulePackage: (documentation changed)
│    ├[~]  resource AWS::CloudFormation::PublicTypeVersion
│    │  └      - documentation: The `AWS::CloudFormation::PublicTypeVersion` resource tests and publishes a registered extension as a public, third-party extension.
│    │         CloudFormation first tests the extension to make sure it meets all necessary requirements for being published in the CloudFormation registry. If it does, CloudFormation then publishes it to the registry as a public third-party extension in this Region. Public extensions are available for use by all CloudFormation users.
│    │         - For resource types, testing includes passing all contracts tests defined for the type.
│    │         - For modules, testing includes determining if the module's model meets all necessary requirements.
│    │         For more information, see [Testing your public extension prior to publishing](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/publish-extension.html#publish-extension-testing) in the *AWS CloudFormation Command Line Interface (CLI) User Guide* .
│    │         If you don't specify a version, CloudFormation uses the default version of the extension in your account and Region for testing.
│    │         To perform testing, CloudFormation assumes the execution role specified when the type was registered.
│    │         An extension must have a test status of `PASSED` before it can be published. For more information, see [Publishing extensions to make them available for public use](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/publish-extension.html) in the *AWS CloudFormation Command Line Interface (CLI) User Guide* .
│    │         + documentation: The `AWS::CloudFormation::PublicTypeVersion` resource tests and publishes a registered extension as a public, third-party extension.
│    │         CloudFormation first tests the extension to make sure it meets all necessary requirements for being published in the CloudFormation registry. If it does, CloudFormation then publishes it to the registry as a public third-party extension in this Region. Public extensions are available for use by all CloudFormation users.
│    │         - For resource types, testing includes passing all contracts tests defined for the type.
│    │         - For modules, testing includes determining if the module's model meets all necessary requirements.
│    │         For more information, see [Testing your public extension prior to publishing](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/publish-extension.html#publish-extension-testing) in the *CloudFormation Command Line Interface (CLI) User Guide* .
│    │         If you don't specify a version, CloudFormation uses the default version of the extension in your account and Region for testing.
│    │         To perform testing, CloudFormation assumes the execution role specified when the type was registered.
│    │         An extension must have a test status of `PASSED` before it can be published. For more information, see [Publishing extensions to make them available for public use](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/publish-extension.html) in the *CloudFormation Command Line Interface (CLI) User Guide* .
│    ├[~]  resource AWS::CloudFormation::Publisher
│    │  └      - documentation: The `AWS::CloudFormation::Publisher` resource registers your account as a publisher of public extensions in the CloudFormation registry. Public extensions are available for use by all CloudFormation users.
│    │         For information on requirements for registering as a public extension publisher, see [Publishing extensions to make them available for public use](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/publish-extension.htm) in the *AWS CloudFormation Command Line Interface (CLI) User Guide* .
│    │         + documentation: The `AWS::CloudFormation::Publisher` resource registers your account as a publisher of public extensions in the CloudFormation registry. Public extensions are available for use by all CloudFormation users.
│    │         For information on requirements for registering as a public extension publisher, see [Publishing extensions to make them available for public use](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/publish-extension.htm) in the *CloudFormation Command Line Interface (CLI) User Guide* .
│    ├[~]  resource AWS::CloudFormation::ResourceDefaultVersion
│    │  └      - documentation: The `AWS::CloudFormation::ResourceDefaultVersion` resource specifies the default version of a resource. The default version of a resource will be used in CloudFormation operations.
│    │         For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *AWS CloudFormation User Guide* .
│    │         + documentation: The `AWS::CloudFormation::ResourceDefaultVersion` resource specifies the default version of a resource. The default version of a resource will be used in CloudFormation operations.
│    │         For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *CloudFormation User Guide* .
│    ├[~]  resource AWS::CloudFormation::ResourceVersion
│    │  ├      - documentation: The `AWS::CloudFormation::ResourceVersion` resource registers a resource version with the CloudFormation registry. Registering a resource version makes it available for use in CloudFormation templates in your AWS account , and includes:
│    │  │      - Validating the resource schema.
│    │  │      - Determining which handlers, if any, have been specified for the resource.
│    │  │      - Making the resource available for use in your account.
│    │  │      For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *AWS CloudFormation User Guide* .
│    │  │      You can have a maximum of 50 resource versions registered at a time. This maximum is per account and per Region.
│    │  │      + documentation: The `AWS::CloudFormation::ResourceVersion` resource registers a resource version with the CloudFormation registry. Registering a resource version makes it available for use in CloudFormation templates in your AWS account , and includes:
│    │  │      - Validating the resource schema.
│    │  │      - Determining which handlers, if any, have been specified for the resource.
│    │  │      - Making the resource available for use in your account.
│    │  │      For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *CloudFormation User Guide* .
│    │  │      You can have a maximum of 50 resource versions registered at a time. This maximum is per account and per Region.
│    │  └ properties
│    │     └ SchemaHandlerPackage: (documentation changed)
│    ├[~]  resource AWS::CloudFormation::Stack
│    │  ├      - documentation: The `AWS::CloudFormation::Stack` resource nests a stack as a resource in a top-level template. For more information, see [Nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* .
│    │  │      You can add output values from a nested stack within the containing template. You use the [GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html) function with the nested stack's logical name and the name of the output value in the nested stack in the format `Outputs. *NestedStackOutputName*` .
│    │  │      We strongly recommend that updates to nested stacks are run from the parent stack.
│    │  │      When you apply template changes to update a top-level stack, CloudFormation updates the top-level stack and initiates an update to its nested stacks. CloudFormation updates the resources of modified nested stacks, but doesn't update the resources of unmodified nested stacks.
│    │  │      For stacks that contain IAM resources, you must acknowledge IAM capabilities. Also, make sure that you have cancel update stack permissions, which are required if an update rolls back. For more information about IAM and CloudFormation , see [Controlling access with AWS Identity and Access Management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/control-access-with-iam.html) in the *AWS CloudFormation User Guide* .
│    │  │      > A subset of `AWS::CloudFormation::Stack` resource type properties listed below are available to customers using CloudFormation , AWS CDK , and Cloud Control  to configure.
│    │  │      > 
│    │  │      > - `NotificationARNs`
│    │  │      > - `Parameters`
│    │  │      > - `Tags`
│    │  │      > - `TemplateURL`
│    │  │      > - `TimeoutInMinutes`
│    │  │      > 
│    │  │      > These properties can be configured only when using Cloud Control  . This is because the below properties are set by the parent stack, and thus cannot be configured using CloudFormation or AWS CDK but only Cloud Control  .
│    │  │      > 
│    │  │      > - `Capabilities`
│    │  │      > - `Description`
│    │  │      > - `DisableRollback`
│    │  │      > - `EnableTerminationProtection`
│    │  │      > - `RoleARN`
│    │  │      > - `StackName`
│    │  │      > - `StackPolicyBody`
│    │  │      > - `StackPolicyURL`
│    │  │      > - `StackStatusReason`
│    │  │      > - `TemplateBody`
│    │  │      > 
│    │  │      > Customers that configure `AWS::CloudFormation::Stack` using CloudFormation and AWS CDK can do so for nesting a CloudFormation stack as a resource in their top-level template.
│    │  │      > 
│    │  │      > These read-only properties can be accessed only when using Cloud Control  .
│    │  │      > 
│    │  │      > - `ChangeSetId`
│    │  │      > - `CreationTime`
│    │  │      > - `LastUpdateTime`
│    │  │      > - `Outputs`
│    │  │      > - `ParentId`
│    │  │      > - `RootId`
│    │  │      > - `StackId`
│    │  │      > - `StackStatus`
│    │  │      + documentation: The `AWS::CloudFormation::Stack` resource nests a stack as a resource in a top-level template. For more information, see [Nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *CloudFormation User Guide* .
│    │  │      You can add output values from a nested stack within the containing template. You use the [GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html) function with the nested stack's logical name and the name of the output value in the nested stack in the format `Outputs. *NestedStackOutputName*` .
│    │  │      We strongly recommend that updates to nested stacks are run from the parent stack.
│    │  │      When you apply template changes to update a top-level stack, CloudFormation updates the top-level stack and initiates an update to its nested stacks. CloudFormation updates the resources of modified nested stacks, but doesn't update the resources of unmodified nested stacks.
│    │  │      For stacks that contain IAM resources, you must acknowledge IAM capabilities. Also, make sure that you have cancel update stack permissions, which are required if an update rolls back. For more information about IAM and CloudFormation , see [Controlling access with AWS Identity and Access Management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/control-access-with-iam.html) in the *CloudFormation User Guide* .
│    │  │      > A subset of `AWS::CloudFormation::Stack` resource type properties listed below are available to customers using CloudFormation , AWS CDK , and Cloud Control  to configure.
│    │  │      > 
│    │  │      > - `NotificationARNs`
│    │  │      > - `Parameters`
│    │  │      > - `Tags`
│    │  │      > - `TemplateURL`
│    │  │      > - `TimeoutInMinutes`
│    │  │      > 
│    │  │      > These properties can be configured only when using Cloud Control  . This is because the below properties are set by the parent stack, and thus cannot be configured using CloudFormation or AWS CDK but only Cloud Control  .
│    │  │      > 
│    │  │      > - `Capabilities`
│    │  │      > - `Description`
│    │  │      > - `DisableRollback`
│    │  │      > - `EnableTerminationProtection`
│    │  │      > - `RoleARN`
│    │  │      > - `StackName`
│    │  │      > - `StackPolicyBody`
│    │  │      > - `StackPolicyURL`
│    │  │      > - `StackStatusReason`
│    │  │      > - `TemplateBody`
│    │  │      > 
│    │  │      > Customers that configure `AWS::CloudFormation::Stack` using CloudFormation and AWS CDK can do so for nesting a CloudFormation stack as a resource in their top-level template.
│    │  │      > 
│    │  │      > These read-only properties can be accessed only when using Cloud Control  .
│    │  │      > 
│    │  │      > - `ChangeSetId`
│    │  │      > - `CreationTime`
│    │  │      > - `LastUpdateTime`
│    │  │      > - `Outputs`
│    │  │      > - `ParentId`
│    │  │      > - `RootId`
│    │  │      > - `StackId`
│    │  │      > - `StackStatus`
│    │  └ types
│    │     └[~] type Output
│    │       └      - documentation: The Output data type.
│    │              + documentation: The `Output` data type.
│    ├[~]  resource AWS::CloudFormation::StackSet
│    │  ├ properties
│    │  │  ├ AdministrationRoleARN: (documentation changed)
│    │  │  ├ AutoDeployment: (documentation changed)
│    │  │  ├ CallAs: (documentation changed)
│    │  │  ├ Capabilities: (documentation changed)
│    │  │  └ PermissionModel: (documentation changed)
│    │  └ types
│    │     ├[~] type AutoDeployment
│    │     │ └      - documentation: Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU). For more information, see [Enable or disable automatic deployments for StackSets in AWS Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-manage-auto-deployment.html) in the *AWS CloudFormation User Guide* .
│    │     │        + documentation: Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU). For more information, see [Enable or disable automatic deployments for StackSets in AWS Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-manage-auto-deployment.html) in the *CloudFormation User Guide* .
│    │     └[~] type OperationPreferences
│    │       └      - documentation: The user-specified preferences for how CloudFormation performs a StackSet operation. For more information on maximum concurrent accounts and failure tolerance, see [StackSet operation options](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html#stackset-ops-options) in the *AWS CloudFormation User Guide* .
│    │              + documentation: The user-specified preferences for how CloudFormation performs a StackSet operation. For more information on maximum concurrent accounts and failure tolerance, see [StackSet operation options](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html#stackset-ops-options) in the *CloudFormation User Guide* .
│    ├[~]  resource AWS::CloudFormation::TypeActivation
│    │  └      - documentation: The `AWS::CloudFormation::TypeActivation` resource activates a public third-party extension, making it available for use in stack templates.
│    │         For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *AWS CloudFormation User Guide* .
│    │         + documentation: The `AWS::CloudFormation::TypeActivation` resource activates a public third-party extension, making it available for use in stack templates.
│    │         For information about the CloudFormation registry, see [Managing extensions with the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html) in the *CloudF…
chore(release): 2.227.0
9fd254d
@aws-cdk-automation aws-cdk-automation requested a review from a team as a code owner November 20, 2025 18:09
@aws-cdk-automation aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels Nov 20, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team November 20, 2025 18:09
@github-actions github-actions bot added the p2 label Nov 20, 2025
@leonmk-aws leonmk-aws added the pr/do-not-merge This PR should not be merged at this time. label Nov 20, 2025
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Nov 20, 2025
@leonmk-aws leonmk-aws added pr/do-not-merge This PR should not be merged at this time. and removed pr/do-not-merge This PR should not be merged at this time. labels Nov 20, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Nov 20, 2025
@leonmk-aws leonmk-aws removed the pr/do-not-merge This PR should not be merged at this time. label Nov 20, 2025
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Nov 20, 2025

Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 5a3fc87 into v2-release Nov 20, 2025
39 of 40 checks passed
@mergify mergify bot deleted the bump/2.227.0 branch November 20, 2025 19:10
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Nov 20, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 20, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

auto-approve contribution/core This is a PR that came from AWS. p2 pr/needs-maintainer-review This PR needs a review from a Core Team Member pr/no-squash This PR should be merged instead of squash-merging it

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.