feat: update L1 CloudFormation resource definitions

[aws-cdk-automation]

Updates the L1 CloudFormation resource definitions with the latest changes from @aws-cdk/aws-service-spec

L1 CloudFormation resource definition changes:

├[~] service aws-apigateway
│ └ resources
│    ├[~]  resource AWS::ApiGateway::DomainName
│    │  └ properties
│    │     └[+] EndpointAccessMode: string
│    ├[~]  resource AWS::ApiGateway::DomainNameV2
│    │  └ properties
│    │     └[+] EndpointAccessMode: string
│    ├[~]  resource AWS::ApiGateway::Method
│    │  └ types
│    │     └[~] type Integration
│    │       └ properties
│    │          └[+] IntegrationTarget: string
│    └[~]  resource AWS::ApiGateway::RestApi
│       └ properties
│          └[+] EndpointAccessMode: string
├[~] service aws-aps
│ └ resources
│    └[~]  resource AWS::APS::Scraper
│       └ types
│          ├[~] type Source
│          │ └ properties
│          │    ├ EksConfiguration: - EksConfiguration (required)
│          │    │                   + EksConfiguration
│          │    └[+] VpcConfiguration: VpcConfiguration
│          └[+]  type VpcConfiguration
│             ├      documentation: Configuration for VPC metrics source
│             │      name: VpcConfiguration
│             └ properties
│                ├ SecurityGroupIds: Array<string> (required)
│                └ SubnetIds: Array<string> (required)
├[~] service aws-batch
│ └ resources
│    └[~]  resource AWS::Batch::ComputeEnvironment
│       └ types
│          └[~] type Ec2ConfigurationObject
│            └ properties
│               └ ImageType: (documentation changed)
├[~] service aws-bedrockagentcore
│ └ resources
│    └[~]  resource AWS::BedrockAgentCore::GatewayTarget
│       ├ attributes
│       │  └[+] LastSynchronizedAt: string
│       └ types
│          ├[+]  type McpServerTargetConfiguration
│          │  ├      name: McpServerTargetConfiguration
│          │  └ properties
│          │     └ Endpoint: string (required)
│          └[~] type McpTargetConfiguration
│            └ properties
│               └[+] McpServer: McpServerTargetConfiguration
├[~] service aws-connectcampaignsv2
│ └ resources
│    └[~]  resource AWS::ConnectCampaignsV2::Campaign
│       └ types
│          └[~] type TelephonyOutboundMode
│            └ properties
│               └ PreviewConfig: (documentation changed)
├[~] service aws-controltower
│ └ resources
│    └[~]  resource AWS::ControlTower::LandingZone
│       └ properties
│          └[+] RemediationTypes: Array<string>
├[~] service aws-directoryservice
│ └ resources
│    └[~]  resource AWS::DirectoryService::MicrosoftAD
│       └      - arnTemplate: arn:${Partition}:ds:${Region}:${Account}:${DirectoryId}
│              + arnTemplate: arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId}
├[~] service aws-dsql
│ └ resources
│    └[~]  resource AWS::DSQL::Cluster
│       ├ properties
│       │  └[+] PolicyDocument: string
│       └ attributes
│          └[+] PolicyVersion: string
├[~] service aws-dynamodb
│ └ resources
│    └[~]  resource AWS::DynamoDB::GlobalTable
│       └ types
│          └[~] type ReplicaStreamSpecification
│            └ properties
│               └ ResourcePolicy: - ResourcePolicy
│                                 + ResourcePolicy (required)
├[~] service aws-ec2
│ └ resources
│    └[~]  resource AWS::EC2::IPAMScope
│       ├ properties
│       │  └[+] ExternalAuthorityConfiguration: IpamScopeExternalAuthorityConfiguration
│       └ types
│          └[+]  type IpamScopeExternalAuthorityConfiguration
│             ├      documentation: The configuration that links an Amazon VPC IPAM scope to an external authority system. It specifies the type of external system and the external resource identifier that identifies your account or instance in that system.
│             │      In IPAM, an external authority is a third-party IP address management system that provides CIDR blocks when you provision address space for top-level IPAM pools. This allows you to use your existing IP management system to control which address ranges are allocated to AWS while using Amazon VPC IPAM to manage subnets within those ranges.
│             │      name: IpamScopeExternalAuthorityConfiguration
│             └ properties
│                ├ IpamScopeExternalAuthorityType: string (required)
│                └ ExternalResourceIdentifier: string (required)
├[~] service aws-elasticloadbalancingv2
│ └ resources
│    ├[~]  resource AWS::ElasticLoadBalancingV2::Listener
│    │  └ types
│    │     ├[~] type Action
│    │     │ └ properties
│    │     │    └[+] JwtValidationConfig: JwtValidationConfig
│    │     ├[+]  type JwtValidationActionAdditionalClaim
│    │     │  ├      name: JwtValidationActionAdditionalClaim
│    │     │  └ properties
│    │     │     ├ Format: string (required)
│    │     │     ├ Values: Array<string> (required)
│    │     │     └ Name: string (required)
│    │     └[+]  type JwtValidationConfig
│    │        ├      name: JwtValidationConfig
│    │        └ properties
│    │           ├ JwksEndpoint: string (required)
│    │           ├ Issuer: string (required)
│    │           └ AdditionalClaims: Array<JwtValidationActionAdditionalClaim>
│    ├[~]  resource AWS::ElasticLoadBalancingV2::ListenerRule
│    │  └ types
│    │     ├[~] type Action
│    │     │ └ properties
│    │     │    └[+] JwtValidationConfig: JwtValidationConfig
│    │     ├[+]  type JwtValidationActionAdditionalClaim
│    │     │  ├      name: JwtValidationActionAdditionalClaim
│    │     │  └ properties
│    │     │     ├ Format: string (required)
│    │     │     ├ Name: string (required)
│    │     │     └ Values: Array<string> (required)
│    │     └[+]  type JwtValidationConfig
│    │        ├      name: JwtValidationConfig
│    │        └ properties
│    │           ├ JwksEndpoint: string (required)
│    │           ├ Issuer: string (required)
│    │           └ AdditionalClaims: Array<JwtValidationActionAdditionalClaim>
│    └[~]  resource AWS::ElasticLoadBalancingV2::TargetGroup
│       └ types
│          └[~] type TargetDescription
│            └ properties
│               └[+] QuicServerId: string
├[~] service aws-glue
│ └ resources
│    └[+]  resource AWS::Glue::IdentityCenterConfiguration
│       ├      name: IdentityCenterConfiguration
│       │      cloudFormationType: AWS::Glue::IdentityCenterConfiguration
│       │      documentation: Resource Type definition for AWS::Glue::IdentityCenterConfiguration
│       ├ properties
│       │  ├ InstanceArn: string (required, immutable)
│       │  ├ Scopes: Array<string>
│       │  └ UserBackgroundSessionsEnabled: boolean
│       └ attributes
│          ├ ApplicationArn: string
│          └ AccountId: string
├[~] service aws-iotwireless
│ └ resources
│    └[~]  resource AWS::IoTWireless::WirelessDeviceImportTask
│       └      - arnTemplate: arn:${Partition}:iotwireless:${Region}:${Account}:WirelessDeviceImportTask/${WirelessDeviceImportTaskId}
│              + arnTemplate: arn:${Partition}:iotwireless:${Region}:${Account}:ImportTask/${ImportTaskId}
├[~] service aws-kinesis
│ └ resources
│    └[~]  resource AWS::Kinesis::Stream
│       ├ properties
│       │  └[+] WarmThroughputMiBps: integer
│       ├ attributes
│       │  └[+] WarmThroughputObject: WarmThroughputObject
│       └ types
│          └[+]  type WarmThroughputObject
│             ├      documentation: Represents the warm throughput configuration on the stream. This is only present for On-Demand Kinesis Data Streams in accounts that have `MinimumThroughputBillingCommitment` enabled.
│             │      name: WarmThroughputObject
│             └ properties
│                ├ TargetMiBps: integer
│                └ CurrentMiBps: integer
├[~] service aws-kms
│ └ resources
│    └[~]  resource AWS::KMS::Key
│       └ properties
│          └ KeySpec: (documentation changed)
├[~] service aws-mediaconnect
│ └ resources
│    ├[~]  resource AWS::MediaConnect::Flow
│    │  └ types
│    │     ├[+]  type FlowTransitEncryption
│    │     │  ├      documentation: The configuration that defines how content is encrypted during transit between the MediaConnect router and a MediaConnect flow.
│    │     │  │      name: FlowTransitEncryption
│    │     │  └ properties
│    │     │     ├ EncryptionKeyType: string
│    │     │     └ EncryptionKeyConfiguration: FlowTransitEncryptionKeyConfiguration (required)
│    │     ├[+]  type FlowTransitEncryptionKeyConfiguration
│    │     │  ├      name: FlowTransitEncryptionKeyConfiguration
│    │     │  └ properties
│    │     │     ├ SecretsManager: SecretsManagerEncryptionKeyConfiguration
│    │     │     └ Automatic: json
│    │     ├[+]  type SecretsManagerEncryptionKeyConfiguration
│    │     │  ├      documentation: The configuration settings for transit encryption of a flow source using AWS Secrets Manager, including the secret ARN and role ARN.
│    │     │  │      name: SecretsManagerEncryptionKeyConfiguration
│    │     │  └ properties
│    │     │     ├ SecretArn: string (required)
│    │     │     └ RoleArn: string (required)
│    │     └[~] type Source
│    │       └ properties
│    │          ├[+] RouterIntegrationState: string
│    │          └[+] RouterIntegrationTransitDecryption: FlowTransitEncryption
│    ├[~]  resource AWS::MediaConnect::FlowOutput
│    │  ├ properties
│    │  │  ├[+] RouterIntegrationState: string
│    │  │  └[+] RouterIntegrationTransitEncryption: FlowTransitEncryption
│    │  └ types
│    │     ├[+]  type FlowTransitEncryption
│    │     │  ├      documentation: The configuration that defines how content is encrypted during transit between the MediaConnect router and a MediaConnect flow.
│    │     │  │      name: FlowTransitEncryption
│    │     │  └ properties
│    │     │     ├ EncryptionKeyType: string
│    │     │     └ EncryptionKeyConfiguration: FlowTransitEncryptionKeyConfiguration (required)
│    │     ├[+]  type FlowTransitEncryptionKeyConfiguration
│    │     │  ├      name: FlowTransitEncryptionKeyConfiguration
│    │     │  └ properties
│    │     │     ├ SecretsManager: SecretsManagerEncryptionKeyConfiguration
│    │     │     └ Automatic: json
│    │     └[+]  type SecretsManagerEncryptionKeyConfiguration
│    │        ├      documentation: The configuration settings for transit encryption of a flow output using AWS Secrets Manager, including the secret ARN and role ARN.
│    │        │      name: SecretsManagerEncryptionKeyConfiguration
│    │        └ properties
│    │           ├ SecretArn: string (required)
│    │           └ RoleArn: string (required)
│    └[+]  resource AWS::MediaConnect::RouterNetworkInterface
│       ├      name: RouterNetworkInterface
│       │      cloudFormationType: AWS::MediaConnect::RouterNetworkInterface
│       │      documentation: Represents a router network interface in AWS Elemental MediaConnect that is used to define a network boundary for router resources
│       │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│       ├ properties
│       │  ├ Configuration: RouterNetworkInterfaceConfiguration (required)
│       │  ├ Name: string (required)
│       │  ├ RegionName: string (immutable)
│       │  └ Tags: Array<tag>
│       ├ attributes
│       │  ├ Arn: string
│       │  ├ AssociatedInputCount: integer
│       │  ├ AssociatedOutputCount: integer
│       │  ├ CreatedAt: string
│       │  ├ Id: string
│       │  ├ NetworkInterfaceType: string
│       │  ├ State: string
│       │  └ UpdatedAt: string
│       └ types
│          ├ type PublicRouterNetworkInterfaceConfiguration
│          │ ├      documentation: The configuration settings for a public router network interface, including the list of allowed CIDR blocks.
│          │ │      name: PublicRouterNetworkInterfaceConfiguration
│          │ └ properties
│          │    └ AllowRules: Array<PublicRouterNetworkInterfaceRule> (required)
│          ├ type PublicRouterNetworkInterfaceRule
│          │ ├      documentation: A rule that allows a specific CIDR block to access the public router network interface.
│          │ │      name: PublicRouterNetworkInterfaceRule
│          │ └ properties
│          │    └ Cidr: string (required)
│          ├ type RouterNetworkInterfaceConfiguration
│          │ ├      name: RouterNetworkInterfaceConfiguration
│          │ └ properties
│          │    ├ Public: PublicRouterNetworkInterfaceConfiguration
│          │    └ Vpc: VpcRouterNetworkInterfaceConfiguration
│          └ type VpcRouterNetworkInterfaceConfiguration
│            ├      documentation: The configuration settings for a router network interface within a VPC, including the security group IDs and subnet ID.
│            │      name: VpcRouterNetworkInterfaceConfiguration
│            └ properties
│               ├ SecurityGroupIds: Array<string> (required)
│               └ SubnetId: string (required)
├[~] service aws-msk
│ └ resources
│    └[~]  resource AWS::MSK::Cluster
│       ├ properties
│       │  └[+] Rebalancing: Rebalancing
│       ├ attributes
│       │  └[+] CurrentVersion: string
│       └ types
│          └[+]  type Rebalancing
│             ├      name: Rebalancing
│             └ properties
│                └ Status: string (required)
├[~] service aws-pinpoint
│ └ resources
│    ├[~]  resource AWS::Pinpoint::EmailTemplate
│    │  └      - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/EMAIL
│    │         + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/SMS
│    ├[~]  resource AWS::Pinpoint::InAppTemplate
│    │  └      - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/EMAIL
│    │         + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/SMS
│    └[~]  resource AWS::Pinpoint::PushTemplate
│       └      - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/PUSH
│              + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/SMS
├[~] service aws-ram
│ └ resources
│    └[~]  resource AWS::RAM::Permission
│       └      - arnTemplate: arn:${Partition}:ram::${Account}:permission/${ResourcePath}
│              + arnTemplate: arn:${Partition}:ram:${Region}:${Account}:permission/${ResourcePath}
├[~] service aws-rekognition
│ └ resources
│    └[~]  resource AWS::Rekognition::Project
│       ├      - tagInformation: undefined
│       │      + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│       └ properties
│          └[+] Tags: Array<tag>
├[~] service aws-rtbfabric
│ └ resources
│    └[+]  resource AWS::RTBFabric::InboundExternalLink
│       ├      name: InboundExternalLink
│       │      cloudFormationType: AWS::RTBFabric::InboundExternalLink
│       │      documentation: Resource Type definition for AWS::RTBFabric::InboundExternalLink Resource Type
│       │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│       ├ properties
│       │  ├ Tags: Array<tag>
│       │  ├ GatewayId: string (required)
│       │  ├ LinkAttributes: LinkAttributes
│       │  └ LinkLogSettings: LinkLogSettings (required)
│       ├ attributes
│       │  ├ LinkId: string
│       │  ├ Arn: string
│       │  ├ LinkStatus: string
│       │  ├ CreatedTimestamp: string
│       │  └ UpdatedTimestamp: string
│       └ types
│          ├ type ApplicationLogs
│          │ ├      name: ApplicationLogs
│          │ └ properties
│          │    └ LinkApplicationLogSampling: LinkApplicationLogSampling (required)
│          ├ type LinkApplicationLogSampling
│          │ ├      name: LinkApplicationLogSampling
│          │ └ properties
│          │    ├ ErrorLog: number (required)
│          │    └ FilterLog: number (required)
│          ├ type LinkAttributes
│          │ ├      name: LinkAttributes
│          │ └ properties
│          │    ├ ResponderErrorMasking: Array<ResponderErrorMaskingForHttpCode>
│          │    └ CustomerProvidedId: string
│          ├ type LinkLogSettings
│          │ ├      name: LinkLogSettings
│          │ └ properties
│          │    └ ApplicationLogs: ApplicationLogs (required)
│          └ type ResponderErrorMaskingForHttpCode
│            ├      name: ResponderErrorMaskingForHttpCode
│            └ properties
│               ├ HttpCode: string (required)
│               ├ Action: string (required)
│               ├ LoggingTypes: Array<string> (required)
│               └ ResponseLoggingPercentage: number
└[~] service aws-s3tables
  └ resources
     └[~]  resource AWS::S3Tables::TableBucket
        ├ properties
        │  └[+] MetricsConfiguration: MetricsConfiguration
        └ types
           └[+]  type MetricsConfiguration
              ├      documentation: Settings governing the Metric configuration for the table bucket.
              │      name: MetricsConfiguration
              └ properties
                 └ Status: string (default="Disabled")

CHANGES TO L1 RESOURCES: L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

• aws-dynamodb: AWS::DynamoDB::GlobalTable: ResourcePolicy property is now required.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.