The Amazon Resource Name (ARN) associated with the resource.
- `channel_group_name` (String) - `channel_name` (String) -- `created_at` (String) -- `description` (String) -- `ingest_endpoints` (Attributes List) (see [below for nested schema](#nestedatt--ingest_endpoints)) -- `modified_at` (String) +- `created_at` (String)The date and time the channel was created.
+- `description` (String)Enter any descriptive text that helps you to identify the channel.
+- `ingest_endpoints` (Attributes List)The list of ingest endpoints.
(see [below for nested schema](#nestedatt--ingest_endpoints)) +- `modified_at` (String)The date and time the channel was modified.
- `tags` (Attributes List) (see [below for nested schema](#nestedatt--tags)) @@ -35,8 +35,8 @@ Data Source schema for AWS::MediaPackageV2::Channel Read-Only: -- `id` (String) -- `url` (String) +- `id` (String)The system-generated unique identifier for the IngestEndpoint.
+- `url` (String)The ingest domain URL where the source stream should be sent.
diff --git a/docs/data-sources/mediapackagev2_channel_group.md b/docs/data-sources/mediapackagev2_channel_group.md index 63924f15f6..d133f2e5f0 100644 --- a/docs/data-sources/mediapackagev2_channel_group.md +++ b/docs/data-sources/mediapackagev2_channel_group.md @@ -21,12 +21,12 @@ Data Source schema for AWS::MediaPackageV2::ChannelGroup ### Read-Only -- `arn` (String) +- `arn` (String)The Amazon Resource Name (ARN) associated with the resource.
- `channel_group_name` (String) -- `created_at` (String) -- `description` (String) -- `egress_domain` (String) -- `modified_at` (String) +- `created_at` (String)The date and time the channel group was created.
+- `description` (String)Enter any descriptive text that helps you to identify the channel group.
+- `egress_domain` (String)The output domain where the source stream should be sent. Integrate the domain with a downstream CDN (such as Amazon CloudFront) or playback device.
+- `modified_at` (String)The date and time the channel group was modified.
- `tags` (Attributes List) (see [below for nested schema](#nestedatt--tags)) diff --git a/docs/data-sources/rds_db_instance.md b/docs/data-sources/rds_db_instance.md index e711d8bcac..6975c65e76 100644 --- a/docs/data-sources/rds_db_instance.md +++ b/docs/data-sources/rds_db_instance.md @@ -21,109 +21,416 @@ Data Source schema for AWS::RDS::DBInstance ### Read-Only -- `allocated_storage` (String) The amount of storage (in gigabytes) to be initially allocated for the database instance. +- `allocated_storage` (String) The amount of storage in gibibytes (GiB) to be initially allocated for the database instance. + If any value is set in the ``Iops`` parameter, ``AllocatedStorage`` must be at least 100 GiB, which corresponds to the minimum Iops value of 1,000. If you increase the ``Iops`` value (in 1,000 IOPS increments), then you must also increase the ``AllocatedStorage`` value (in 100-GiB increments). + *Amazon Aurora* + Not applicable. Aurora cluster volumes automatically grow as the amount of data in your database increases, though you are only charged for the space that you use in an Aurora cluster volume. + *Db2* + Constraints to the amount of storage for each storage type are the following: + + General Purpose (SSD) storage (gp3): Must be an integer from 20 to 64000. + + Provisioned IOPS storage (io1): Must be an integer from 100 to 64000. + + *MySQL* + Constraints to the amount of storage for each storage type are the following: + + General Purpose (SSD) storage (gp2): Must be an integer fro - `allow_major_version_upgrade` (Boolean) A value that indicates whether major version upgrades are allowed. Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible. -- `associated_roles` (Attributes List) The AWS Identity and Access Management (IAM) roles associated with the DB instance. (see [below for nested schema](#nestedatt--associated_roles)) + Constraints: Major version upgrades must be allowed when specifying a value for the ``EngineVersion`` parameter that is a different major version than the DB instance's current version. +- `associated_roles` (Attributes List) The IAMlong (IAM) roles associated with the DB instance. + *Amazon Aurora* + Not applicable. The associated roles are managed by the DB cluster. (see [below for nested schema](#nestedatt--associated_roles)) - `auto_minor_version_upgrade` (Boolean) A value that indicates whether minor engine upgrades are applied automatically to the DB instance during the maintenance window. By default, minor engine upgrades are applied automatically. -- `automatic_backup_replication_region` (String) Enables replication of automated backups to a different Amazon Web Services Region. -- `availability_zone` (String) The Availability Zone (AZ) where the database will be created. For information on AWS Regions and Availability Zones. +- `automatic_backup_replication_region` (String) The destination region for the backup replication of the DB instance. For more info, see [Replicating automated backups to another Region](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReplicateBackups.html) in the *Amazon RDS User Guide*. +- `availability_zone` (String) The Availability Zone (AZ) where the database will be created. For information on AWS-Regions and Availability Zones, see [Regions and Availability Zones](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html). + For Amazon Aurora, each Aurora DB cluster hosts copies of its storage in three separate Availability Zones. Specify one of these Availability Zones. Aurora automatically chooses an appropriate Availability Zone if you don't specify one. + Default: A random, system-chosen Availability Zone in the endpoint's AWS-Region. + Constraints: + + The ``AvailabilityZone`` parameter can't be specified if the DB instance is a Multi-AZ deployment. + + The specified Availability Zone must be in the same AWS-Region as the current endpoint. + + Example: ``us-east-1d`` - `backup_retention_period` (Number) The number of days for which automated backups are retained. Setting this parameter to a positive number enables backups. Setting this parameter to 0 disables automated backups. + *Amazon Aurora* + Not applicable. The retention period for automated backups is managed by the DB cluster. + Default: 1 + Constraints: + + Must be a value from 0 to 35 + + Can't be set to 0 if the DB instance is a source to read replicas - `ca_certificate_identifier` (String) The identifier of the CA certificate for this DB instance. -- `certificate_details` (Attributes) Returns the details of the DB instance's server certificate. (see [below for nested schema](#nestedatt--certificate_details)) -- `certificate_rotation_restart` (Boolean) A value that indicates whether the DB instance is restarted when you rotate your SSL/TLS certificate. -By default, the DB instance is restarted when you rotate your SSL/TLS certificate. The certificate is not updated until the DB instance is restarted. -If you are using SSL/TLS to connect to the DB instance, follow the appropriate instructions for your DB engine to rotate your SSL/TLS certificate -This setting doesn't apply to RDS Custom. + Specifying or updating this property triggers a reboot. For more information about CA certificate identifiers for RDS DB engines, see [Rotating Your SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon RDS User Guide*. For more information about CA certificate identifiers for Aurora DB engines, see [Rotating Your SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon Aurora User Guide*. +- `certificate_details` (Attributes) The details of the DB instance's server certificate. (see [below for nested schema](#nestedatt--certificate_details)) +- `certificate_rotation_restart` (Boolean) Specifies whether the DB instance is restarted when you rotate your SSL/TLS certificate. + By default, the DB instance is restarted when you rotate your SSL/TLS certificate. The certificate is not updated until the DB instance is restarted. + Set this parameter only if you are *not* using SSL/TLS to connect to the DB instance. + If you are using SSL/TLS to connect to the DB instance, follow the appropriate instructions for your DB engine to rotate your SSL/TLS certificate: + + For more information about rotating your SSL/TLS certificate for RDS DB engines, see [Rotating Your SSL/TLS Certificate.](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon RDS User Guide.* + + For more information about rotating your SSL/TLS certificate for Aurora DB engines, see [Rotating Your SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon Aurora User Gui - `character_set_name` (String) For supported engines, indicates that the DB instance should be associated with the specified character set. -- `copy_tags_to_snapshot` (Boolean) A value that indicates whether to copy tags from the DB instance to snapshots of the DB instance. By default, tags are not copied. -- `custom_iam_instance_profile` (String) The instance profile associated with the underlying Amazon EC2 instance of an RDS Custom DB instance. The instance profile must meet the following requirements: - * The profile must exist in your account. - * The profile must have an IAM role that Amazon EC2 has permissions to assume. - * The instance profile name and the associated IAM role name must start with the prefix AWSRDSCustom . -For the list of permissions required for the IAM role, see Configure IAM and your VPC in the Amazon RDS User Guide . - -This setting is required for RDS Custom. + *Amazon Aurora* + Not applicable. The character set is managed by the DB cluster. For more information, see [AWS::RDS::DBCluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html). +- `copy_tags_to_snapshot` (Boolean) Specifies whether to copy tags from the DB instance to snapshots of the DB instance. By default, tags are not copied. + This setting doesn't apply to Amazon Aurora DB instances. Copying tags to snapshots is managed by the DB cluster. Setting this value for an Aurora DB instance has no effect on the DB cluster setting. +- `custom_iam_instance_profile` (String) The instance profile associated with the underlying Amazon EC2 instance of an RDS Custom DB instance. + This setting is required for RDS Custom. + Constraints: + + The profile must exist in your account. + + The profile must have an IAM role that Amazon EC2 has permissions to assume. + + The instance profile name and the associated IAM role name must start with the prefix ``AWSRDSCustom``. + + For the list of permissions required for the IAM role, see [Configure IAM and your VPC](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-setup-orcl.html#custom-setup-orcl.iam-vpc) in the *Amazon RDS User Guide*. - `db_cluster_identifier` (String) The identifier of the DB cluster that the instance will belong to. -- `db_cluster_snapshot_identifier` (String) The identifier for the RDS for MySQL Multi-AZ DB cluster snapshot to restore from. For more information on Multi-AZ DB clusters, see Multi-AZ deployments with two readable standby DB instances in the Amazon RDS User Guide . - -Constraints: - * Must match the identifier of an existing Multi-AZ DB cluster snapshot. - * Can't be specified when DBSnapshotIdentifier is specified. - * Must be specified when DBSnapshotIdentifier isn't specified. - * If you are restoring from a shared manual Multi-AZ DB cluster snapshot, the DBClusterSnapshotIdentifier must be the ARN of the shared snapshot. - * Can't be the identifier of an Aurora DB cluster snapshot. - * Can't be the identifier of an RDS for PostgreSQL Multi-AZ DB cluster snapshot. -- `db_instance_arn` (String) The Amazon Resource Name (ARN) for the DB instance. -- `db_instance_class` (String) The compute and memory capacity of the DB instance, for example, db.m4.large. Not all DB instance classes are available in all AWS Regions, or for all database engines. -- `db_instance_identifier` (String) A name for the DB instance. If you specify a name, AWS CloudFormation converts it to lowercase. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the DB instance. +- `db_cluster_snapshot_identifier` (String) The identifier for the Multi-AZ DB cluster snapshot to restore from. + For more information on Multi-AZ DB clusters, see [Multi-AZ DB cluster deployments](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/multi-az-db-clusters-concepts.html) in the *Amazon RDS User Guide*. + Constraints: + + Must match the identifier of an existing Multi-AZ DB cluster snapshot. + + Can't be specified when ``DBSnapshotIdentifier`` is specified. + + Must be specified when ``DBSnapshotIdentifier`` isn't specified. + + If you are restoring from a shared manual Multi-AZ DB cluster snapshot, the ``DBClusterSnapshotIdentifier`` must be the ARN of the shared snapshot. + + Can't be the identifier of an Aurora DB cluster snapshot. +- `db_instance_arn` (String) +- `db_instance_class` (String) The compute and memory capacity of the DB instance, for example, ``db.m4.large``. Not all DB instance classes are available in all AWS Regions, or for all database engines. + For the full list of DB instance classes, and availability for your engine, see [DB Instance Class](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html) in the *Amazon RDS User Guide.* For more information about DB instance class pricing and AWS Region support for DB instance classes, see [Amazon RDS Pricing](https://docs.aws.amazon.com/rds/pricing/). +- `db_instance_identifier` (String) A name for the DB instance. If you specify a name, AWS CloudFormation converts it to lowercase. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the DB instance. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html). + For information about constraints that apply to DB instance identifiers, see [Naming constraints in Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html#RDS_Limits.Constraints) in the *Amazon RDS User Guide*. + If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. - `db_name` (String) The meaning of this parameter differs according to the database engine you use. -- `db_parameter_group_name` (String) The name of an existing DB parameter group or a reference to an AWS::RDS::DBParameterGroup resource created in the template. + If you specify the ``DBSnapshotIdentifier`` property, this property only applies to RDS for Oracle. + *Amazon Aurora* + Not applicable. The database name is managed by the DB cluster. + *Db2* + The name of the database to create when the DB instance is created. If this parameter isn't specified, no database is created in the DB instance. + Constraints: + + Must contain 1 to 64 letters or numbers. + + Must begin with a letter. Subsequent characters can be letters, underscores, or digits (0-9). + + Can't be a word reserved by the specified database engine. + + *MySQL* + The name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance. + Constraints: + + Must contain 1 to 64 letters or numbers. + + Can't be a word reserved by the specified database engine + + *MariaDB* + The name of the database to create when the DB instance is +- `db_parameter_group_name` (String) The name of an existing DB parameter group or a reference to an [AWS::RDS::DBParameterGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbparametergroup.html) resource created in the template. + To list all of the available DB parameter group names, use the following command: + ``aws rds describe-db-parameter-groups --query "DBParameterGroups[].DBParameterGroupName" --output text`` + If any of the data members of the referenced parameter group are changed during an update, the DB instance might need to be restarted, which causes some interruption. If the parameter group contains static parameters, whether they were changed or not, an update triggers a reboot. + If you don't specify a value for ``DBParameterGroupName`` property, the default DB parameter group for the specified engine and engine version is used. - `db_security_groups` (List of String) A list of the DB security groups to assign to the DB instance. The list can include both the name of existing DB security groups or references to AWS::RDS::DBSecurityGroup resources created in the template. + If you set DBSecurityGroups, you must not set VPCSecurityGroups, and vice versa. Also, note that the DBSecurityGroups property exists only for backwards compatibility with older regions and is no longer recommended for providing security information to an RDS DB instance. Instead, use VPCSecurityGroups. + If you specify this property, AWS CloudFormation sends only the following properties (if specified) to Amazon RDS during create operations: + + ``AllocatedStorage`` + + ``AutoMinorVersionUpgrade`` + + ``AvailabilityZone`` + + ``BackupRetentionPeriod`` + + ``CharacterSetName`` + + ``DBInstanceClass`` + + ``DBName`` + + ``DBParameterGroupName`` + + ``DBSecurityGroups`` + + ``DBSubnetGroupName`` + + ``Engine`` + + ``EngineVersion`` + + ``Iops`` + + ``LicenseModel`` + + - `db_snapshot_identifier` (String) The name or Amazon Resource Name (ARN) of the DB snapshot that's used to restore the DB instance. If you're restoring from a shared manual DB snapshot, you must specify the ARN of the snapshot. -- `db_subnet_group_name` (String) A DB subnet group to associate with the DB instance. If you update this value, the new subnet group must be a subnet group in a new VPC. -- `db_system_id` (String) The Oracle system ID (Oracle SID) for a container database (CDB). The Oracle SID is also the name of the CDB. This setting is valid for RDS Custom only. -- `dbi_resource_id` (String) The AWS Region-unique, immutable identifier for the DB instance. This identifier is found in AWS CloudTrail log entries whenever the AWS KMS key for the DB instance is accessed. + By specifying this property, you can create a DB instance from the specified DB snapshot. If the ``DBSnapshotIdentifier`` property is an empty string or the ``AWS::RDS::DBInstance`` declaration has no ``DBSnapshotIdentifier`` property, AWS CloudFormation creates a new database. If the property contains a value (other than an empty string), AWS CloudFormation creates a database from the specified snapshot. If a snapshot with the specified name doesn't exist, AWS CloudFormation can't create the database and it rolls back the stack. + Some DB instance properties aren't valid when you restore from a snapshot, such as the ``MasterUsername`` and ``MasterUserPassword`` properties. For information about the properties that you can specify, see the ``RestoreDBInstanceFromDBSnapshot`` action in the *Amazo +- `db_subnet_group_name` (String) A DB subnet group to associate with the DB instance. If you update this value, the new subnet group must be a subnet group in a new VPC. + If there's no DB subnet group, then the DB instance isn't a VPC DB instance. + For more information about using Amazon RDS in a VPC, see [Using Amazon RDS with Amazon Virtual Private Cloud (VPC)](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html) in the *Amazon RDS User Guide*. + *Amazon Aurora* + Not applicable. The DB subnet group is managed by the DB cluster. If specified, the setting must match the DB cluster setting. +- `db_system_id` (String) The Oracle system identifier (SID), which is the name of the Oracle database instance that manages your database files. In this context, the term "Oracle database instance" refers exclusively to the system global area (SGA) and Oracle background processes. If you don't specify a SID, the value defaults to ``RDSCDB``. The Oracle SID is also the name of your CDB. +- `dbi_resource_id` (String) - `dedicated_log_volume` (Boolean) Indicates whether the DB instance has a dedicated log volume (DLV) enabled. - `delete_automated_backups` (Boolean) A value that indicates whether to remove automated backups immediately after the DB instance is deleted. This parameter isn't case-sensitive. The default is to remove automated backups immediately after the DB instance is deleted. -- `deletion_protection` (Boolean) A value that indicates whether the DB instance has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection is disabled. -- `domain` (String) The Active Directory directory ID to create the DB instance in. Currently, only MySQL, Microsoft SQL Server, Oracle, and PostgreSQL DB instances can be created in an Active Directory Domain. + *Amazon Aurora* + Not applicable. When you delete a DB cluster, all automated backups for that DB cluster are deleted and can't be recovered. Manual DB cluster snapshots of the DB cluster are not deleted. +- `deletion_protection` (Boolean) A value that indicates whether the DB instance has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection is disabled. For more information, see [Deleting a DB Instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html). + *Amazon Aurora* + Not applicable. You can enable or disable deletion protection for the DB cluster. For more information, see ``CreateDBCluster``. DB instances in a DB cluster can be deleted even when deletion protection is enabled for the DB cluster. +- `domain` (String) The Active Directory directory ID to create the DB instance in. Currently, only Db2, MySQL, Microsoft SQL Server, Oracle, and PostgreSQL DB instances can be created in an Active Directory Domain. + For more information, see [Kerberos Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html) in the *Amazon RDS User Guide*. - `domain_auth_secret_arn` (String) The ARN for the Secrets Manager secret with the credentials for the user joining the domain. + Example: ``arn:aws:secretsmanager:region:account-number:secret:myselfmanagedADtestsecret-123456`` - `domain_dns_ips` (List of String) The IPv4 DNS IP addresses of your primary and secondary Active Directory domain controllers. + Constraints: + + Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list. + + Example: ``123.124.125.126,234.235.236.237`` - `domain_fqdn` (String) The fully qualified domain name (FQDN) of an Active Directory domain. -- `domain_iam_role_name` (String) Specify the name of the IAM role to be used when making API calls to the Directory Service. + Constraints: + + Can't be longer than 64 characters. + + Example: ``mymanagedADtest.mymanagedAD.mydomain`` +- `domain_iam_role_name` (String) The name of the IAM role to use when making API calls to the Directory Service. + This setting doesn't apply to the following DB instances: + + Amazon Aurora (The domain is managed by the DB cluster.) + + RDS Custom - `domain_ou` (String) The Active Directory organizational unit for your DB instance to join. -- `enable_cloudwatch_logs_exports` (List of String) The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. + Constraints: + + Must be in the distinguished name format. + + Can't be longer than 64 characters. + + Example: ``OU=mymanagedADtestOU,DC=mymanagedADtest,DC=mymanagedAD,DC=mydomain`` +- `enable_cloudwatch_logs_exports` (List of String) The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide*. + *Amazon Aurora* + Not applicable. CloudWatch Logs exports are managed by the DB cluster. + *Db2* + Valid values: ``diag.log``, ``notify.log`` + *MariaDB* + Valid values: ``audit``, ``error``, ``general``, ``slowquery`` + *Microsoft SQL Server* + Valid values: ``agent``, ``error`` + *MySQL* + Valid values: ``audit``, ``error``, ``general``, ``slowquery`` + *Oracle* + Valid values: ``alert``, ``audit``, ``listener``, ``trace``, ``oemagent`` + *PostgreSQL* + Valid values: ``postgresql``, ``upgrade`` - `enable_iam_database_authentication` (Boolean) A value that indicates whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. By default, mapping is disabled. -- `enable_performance_insights` (Boolean) A value that indicates whether to enable Performance Insights for the DB instance. -- `endpoint` (Attributes) Specifies the connection endpoint. (see [below for nested schema](#nestedatt--endpoint)) + This property is supported for RDS for MariaDB, RDS for MySQL, and RDS for PostgreSQL. For more information, see [IAM Database Authentication for MariaDB, MySQL, and PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html) in the *Amazon RDS User Guide.* + *Amazon Aurora* + Not applicable. Mapping AWS IAM accounts to database accounts is managed by the DB cluster. +- `enable_performance_insights` (Boolean) Specifies whether to enable Performance Insights for the DB instance. For more information, see [Using Amazon Performance Insights](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html) in the *Amazon RDS User Guide*. + This setting doesn't apply to RDS Custom DB instances. +- `endpoint` (Attributes) The connection endpoint for the DB instance. + The endpoint might not be shown for instances with the status of ``creating``. (see [below for nested schema](#nestedatt--endpoint)) - `engine` (String) The name of the database engine that you want to use for this DB instance. + Not every database engine is available in every AWS Region. + When you are creating a DB instance, the ``Engine`` property is required. + Valid Values: + + ``aurora-mysql`` (for Aurora MySQL DB instances) + + ``aurora-postgresql`` (for Aurora PostgreSQL DB instances) + + ``custom-oracle-ee`` (for RDS Custom for Oracle DB instances) + + ``custom-oracle-ee-cdb`` (for RDS Custom for Oracle DB instances) + + ``custom-sqlserver-ee`` (for RDS Custom for SQL Server DB instances) + + ``custom-sqlserver-se`` (for RDS Custom for SQL Server DB instances) + + ``custom-sqlserver-web`` (for RDS Custom for SQL Server DB instances) + + ``db2-ae`` + + ``db2-se`` + + ``mariadb`` + + ``mysql`` + + ``oracle-ee`` + + ``oracle-ee-cdb`` + + ``oracle-se2`` + + ``oracle-se2-cdb`` + + ``postgres`` + + ``sqlserver-ee`` + + ``sqlserver-se`` + + ``sqlserver-ex`` + + ``sqlserver-web`` - `engine_version` (String) The version number of the database engine to use. -- `iops` (Number) The number of I/O operations per second (IOPS) that the database provisions. -- `kms_key_id` (String) The ARN of the AWS Key Management Service (AWS KMS) master key that's used to encrypt the DB instance. + For a list of valid engine versions, use the ``DescribeDBEngineVersions`` action. + The following are the database engines and links to information about the major and minor versions that are available with Amazon RDS. Not every database engine is available for every AWS Region. + *Amazon Aurora* + Not applicable. The version number of the database engine to be used by the DB instance is managed by the DB cluster. + *Db2* + See [Amazon RDS for Db2](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Db2.html#Db2.Concepts.VersionMgmt) in the *Amazon RDS User Guide.* + *MariaDB* + See [MariaDB on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MariaDB.html#MariaDB.Concepts.VersionMgmt) in the *Amazon RDS User Guide.* + *Microsoft SQL Server* + See [Microsoft SQL Server Versions on Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.VersionSu +- `iops` (Number) The number of I/O operations per second (IOPS) that the database provisions. The value must be equal to or greater than 1000. + If you specify this property, you must follow the range of allowed ratios of your requested IOPS rate to the amount of storage that you allocate (IOPS to allocated storage). For example, you can provision an Oracle database instance with 1000 IOPS and 200 GiB of storage (a ratio of 5:1), or specify 2000 IOPS with 200 GiB of storage (a ratio of 10:1). For more information, see [Amazon RDS Provisioned IOPS Storage to Improve Performance](https://docs.aws.amazon.com/AmazonRDS/latest/DeveloperGuide/CHAP_Storage.html#USER_PIOPS) in the *Amazon RDS User Guide*. + If you specify ``io1`` for the ``StorageType`` property, then you must also specify the ``Iops`` property. + Constraints: + + For RDS for Db2, MariaDB, MySQL, Oracle, and PostgreSQL - Must be a multiple between .5 and 50 of the storage amount for the DB instance. + + For RDS for SQL Server - Must be a multip +- `kms_key_id` (String) The ARN of the AWS KMS key that's used to encrypt the DB instance, such as ``arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef``. If you enable the StorageEncrypted property but don't specify this property, AWS CloudFormation uses the default KMS key. If you specify this property, you must set the StorageEncrypted property to true. + If you specify the ``SourceDBInstanceIdentifier`` property, the value is inherited from the source DB instance if the read replica is created in the same region. + If you create an encrypted read replica in a different AWS Region, then you must specify a KMS key for the destination AWS Region. KMS encryption keys are specific to the region that they're created in, and you can't use encryption keys from one region in another region. + If you specify the ``SnapshotIdentifier`` property, the ``StorageEncrypted`` property value is inherited from the snapshot, and if the DB instance is encrypted, the specified ``KmsKeyId`` property is us - `license_model` (String) License model information for this DB instance. -- `manage_master_user_password` (Boolean) A value that indicates whether to manage the master user password with AWS Secrets Manager. -- `master_user_password` (String) The password for the master user. -- `master_user_secret` (Attributes) Contains the secret managed by RDS in AWS Secrets Manager for the master user password. (see [below for nested schema](#nestedatt--master_user_secret)) + Valid Values: + + Aurora MySQL - ``general-public-license`` + + Aurora PostgreSQL - ``postgresql-license`` + + RDS for Db2 - ``bring-your-own-license``. For more information about RDS for Db2 licensing, see [](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-licensing.html) in the *Amazon RDS User Guide.* + + RDS for MariaDB - ``general-public-license`` + + RDS for Microsoft SQL Server - ``license-included`` + + RDS for MySQL - ``general-public-license`` + + RDS for Oracle - ``bring-your-own-license`` or ``license-included`` + + RDS for PostgreSQL - ``postgresql-license`` + + If you've specified ``DBSecurityGroups`` and then you update the license model, AWS CloudFormation replaces the underlying DB instance. This will incur some interruptions to database availability. +- `manage_master_user_password` (Boolean) Specifies whether to manage the master user password with AWS Secrets Manager. + For more information, see [Password management with Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide.* + Constraints: + + Can't manage the master user password with AWS Secrets Manager if ``MasterUserPassword`` is specified. +- `master_user_password` (String) The password for the master user. The password can include any printable ASCII character except "/", """, or "@". + *Amazon Aurora* + Not applicable. The password for the master user is managed by the DB cluster. + *RDS for Db2* + Must contain from 8 to 255 characters. + *RDS for MariaDB* + Constraints: Must contain from 8 to 41 characters. + *RDS for Microsoft SQL Server* + Constraints: Must contain from 8 to 128 characters. + *RDS for MySQL* + Constraints: Must contain from 8 to 41 characters. + *RDS for Oracle* + Constraints: Must contain from 8 to 30 characters. + *RDS for PostgreSQL* + Constraints: Must contain from 8 to 128 characters. +- `master_user_secret` (Attributes) The secret managed by RDS in AWS Secrets Manager for the master user password. + For more information, see [Password management with Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide.* (see [below for nested schema](#nestedatt--master_user_secret)) - `master_username` (String) The master user name for the DB instance. -- `max_allocated_storage` (Number) The upper limit to which Amazon RDS can automatically scale the storage of the DB instance. -- `monitoring_interval` (Number) The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. -- `monitoring_role_arn` (String) The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to Amazon CloudWatch Logs. -- `multi_az` (Boolean) Specifies whether the database instance is a multiple Availability Zone deployment. -- `nchar_character_set_name` (String) The name of the NCHAR character set for the Oracle DB instance. This parameter doesn't apply to RDS Custom. -- `network_type` (String) The network type of the DB cluster. + If you specify the ``SourceDBInstanceIdentifier`` or ``DBSnapshotIdentifier`` property, don't specify this property. The value is inherited from the source DB instance or snapshot. + When migrating a self-managed Db2 database, we recommend that you use the same master username as your self-managed Db2 instance name. + *Amazon Aurora* + Not applicable. The name for the master user is managed by the DB cluster. + *RDS for Db2* + Constraints: + + Must be 1 to 16 letters or numbers. + + First character must be a letter. + + Can't be a reserved word for the chosen database engine. + + *RDS for MariaDB* + Constraints: + + Must be 1 to 16 letters or numbers. + + Can't be a reserved word for the chosen database engine. + + *RDS for Microsoft SQL Server* + Constraints: + + Must be 1 to 128 letters or numbers. + + First character must be a letter. + + Can't be a reserved word for the chosen database engine. + + *RDS for MySQL* + Constrain +- `max_allocated_storage` (Number) The upper limit in gibibytes (GiB) to which Amazon RDS can automatically scale the storage of the DB instance. + For more information about this setting, including limitations that apply to it, see [Managing capacity automatically with Amazon RDS storage autoscaling](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PIOPS.StorageTypes.html#USER_PIOPS.Autoscaling) in the *Amazon RDS User Guide*. + This setting doesn't apply to the following DB instances: + + Amazon Aurora (Storage is managed by the DB cluster.) + + RDS Custom +- `monitoring_interval` (Number) The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collection of Enhanced Monitoring metrics, specify 0. The default is 0. + If ``MonitoringRoleArn`` is specified, then you must set ``MonitoringInterval`` to a value other than 0. + This setting doesn't apply to RDS Custom. + Valid Values: ``0, 1, 5, 10, 15, 30, 60`` +- `monitoring_role_arn` (String) The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to Amazon CloudWatch Logs. For example, ``arn:aws:iam:123456789012:role/emaccess``. For information on creating a monitoring role, see [Setting Up and Enabling Enhanced Monitoring](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html#USER_Monitoring.OS.Enabling) in the *Amazon RDS User Guide*. + If ``MonitoringInterval`` is set to a value other than ``0``, then you must supply a ``MonitoringRoleArn`` value. + This setting doesn't apply to RDS Custom DB instances. +- `multi_az` (Boolean) Specifies whether the database instance is a Multi-AZ DB instance deployment. You can't set the ``AvailabilityZone`` parameter if the ``MultiAZ`` parameter is set to true. + For more information, see [Multi-AZ deployments for high availability](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html) in the *Amazon RDS User Guide*. + *Amazon Aurora* + Not applicable. Amazon Aurora storage is replicated across all of the Availability Zones and doesn't require the ``MultiAZ`` option to be set. +- `nchar_character_set_name` (String) The name of the NCHAR character set for the Oracle DB instance. + This setting doesn't apply to RDS Custom DB instances. +- `network_type` (String) The network type of the DB instance. + Valid values: + + ``IPV4`` + + ``DUAL`` + + The network type is determined by the ``DBSubnetGroup`` specified for the DB instance. A ``DBSubnetGroup`` can support only the IPv4 protocol or the IPv4 and IPv6 protocols (``DUAL``). + For more information, see [Working with a DB instance in a VPC](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html) in the *Amazon RDS User Guide.* - `option_group_name` (String) Indicates that the DB instance should be associated with the specified option group. -- `performance_insights_kms_key_id` (String) The AWS KMS key identifier for encryption of Performance Insights data. The KMS key ID is the Amazon Resource Name (ARN), KMS key identifier, or the KMS key alias for the KMS encryption key. -- `performance_insights_retention_period` (Number) The amount of time, in days, to retain Performance Insights data. Valid values are 7 or 731 (2 years). + Permanent options, such as the TDE option for Oracle Advanced Security TDE, can't be removed from an option group. Also, that option group can't be removed from a DB instance once it is associated with a DB instance. +- `performance_insights_kms_key_id` (String) The AWS KMS key identifier for encryption of Performance Insights data. + The KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. + If you do not specify a value for ``PerformanceInsightsKMSKeyId``, then Amazon RDS uses your default KMS key. There is a default KMS key for your AWS account. Your AWS account has a different default KMS key for each AWS Region. + For information about enabling Performance Insights, see [EnablePerformanceInsights](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-enableperformanceinsights). +- `performance_insights_retention_period` (Number) The number of days to retain Performance Insights data. + This setting doesn't apply to RDS Custom DB instances. + Valid Values: + + ``7`` + + *month* * 31, where *month* is a number of months from 1-23. Examples: ``93`` (3 months * 31), ``341`` (11 months * 31), ``589`` (19 months * 31) + + ``731`` + + Default: ``7`` days + If you specify a retention period that isn't valid, such as ``94``, Amazon RDS returns an error. - `port` (String) The port number on which the database accepts connections. -- `preferred_backup_window` (String) The daily time range during which automated backups are created if automated backups are enabled, using the BackupRetentionPeriod parameter. -- `preferred_maintenance_window` (String) he weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC). -- `processor_features` (Attributes List) The number of CPU cores and the number of threads per core for the DB instance class of the DB instance. (see [below for nested schema](#nestedatt--processor_features)) -- `promotion_tier` (Number) A value that specifies the order in which an Aurora Replica is promoted to the primary instance after a failure of the existing primary instance. -- `publicly_accessible` (Boolean) Indicates whether the DB instance is an internet-facing instance. If you specify true, AWS CloudFormation creates an instance with a publicly resolvable DNS name, which resolves to a public IP address. If you specify false, AWS CloudFormation creates an internal instance with a DNS name that resolves to a private IP address. -- `replica_mode` (String) The open mode of an Oracle read replica. The default is open-read-only. + *Amazon Aurora* + Not applicable. The port number is managed by the DB cluster. + *Db2* + Default value: ``50000`` +- `preferred_backup_window` (String) The daily time range during which automated backups are created if automated backups are enabled, using the ``BackupRetentionPeriod`` parameter. For more information, see [Backup Window](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupWindow) in the *Amazon RDS User Guide.* + Constraints: + + Must be in the format ``hh24:mi-hh24:mi``. + + Must be in Universal Coordinated Time (UTC). + + Must not conflict with the preferred maintenance window. + + Must be at least 30 minutes. + + *Amazon Aurora* + Not applicable. The daily time range for creating automated backups is managed by the DB cluster. +- `preferred_maintenance_window` (String) The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC). + Format: ``ddd:hh24:mi-ddd:hh24:mi`` + The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region, occurring on a random day of the week. To see the time blocks available, see [Adjusting the Preferred DB Instance Maintenance Window](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Maintenance.html#AdjustingTheMaintenanceWindow) in the *Amazon RDS User Guide.* + This property applies when AWS CloudFormation initially creates the DB instance. If you use AWS CloudFormation to update the DB instance, those updates are applied immediately. + Constraints: Minimum 30-minute window. +- `processor_features` (Attributes List) The number of CPU cores and the number of threads per core for the DB instance class of the DB instance. + This setting doesn't apply to Amazon Aurora or RDS Custom DB instances. (see [below for nested schema](#nestedatt--processor_features)) +- `promotion_tier` (Number) The order of priority in which an Aurora Replica is promoted to the primary instance after a failure of the existing primary instance. For more information, see [Fault Tolerance for an Aurora DB Cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.AuroraHighAvailability.html#Aurora.Managing.FaultTolerance) in the *Amazon Aurora User Guide*. + This setting doesn't apply to RDS Custom DB instances. + Default: ``1`` + Valid Values: ``0 - 15`` +- `publicly_accessible` (Boolean) Indicates whether the DB instance is an internet-facing instance. If you specify true, AWS CloudFormation creates an instance with a publicly resolvable DNS name, which resolves to a public IP address. If you specify false, AWS CloudFormation creates an internal instance with a DNS name that resolves to a private IP address. + The default behavior value depends on your VPC setup and the database subnet group. For more information, see the ``PubliclyAccessible`` parameter in the [CreateDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html) in the *Amazon RDS API Reference*. +- `replica_mode` (String) The open mode of an Oracle read replica. For more information, see [Working with Oracle Read Replicas for Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-read-replicas.html) in the *Amazon RDS User Guide*. + This setting is only supported in RDS for Oracle. + Default: ``open-read-only`` + Valid Values: ``open-read-only`` or ``mounted`` - `restore_time` (String) The date and time to restore from. + Constraints: + + Must be a time in Universal Coordinated Time (UTC) format. + + Must be before the latest restorable time for the DB instance. + + Can't be specified if the ``UseLatestRestorableTime`` parameter is enabled. + + Example: ``2009-09-07T23:45:00Z`` - `source_db_cluster_identifier` (String) The identifier of the Multi-AZ DB cluster that will act as the source for the read replica. Each DB cluster can have up to 15 read replicas. -- `source_db_instance_automated_backups_arn` (String) The Amazon Resource Name (ARN) of the replicated automated backups from which to restore. -- `source_db_instance_identifier` (String) If you want to create a Read Replica DB instance, specify the ID of the source DB instance. Each DB instance can have a limited number of Read Replicas. + Constraints: + + Must be the identifier of an existing Multi-AZ DB cluster. + + Can't be specified if the ``SourceDBInstanceIdentifier`` parameter is also specified. + + The specified DB cluster must have automatic backups enabled, that is, its backup retention period must be greater than 0. + + The source DB cluster must be in the same AWS-Region as the read replica. Cross-Region replication isn't supported. +- `source_db_instance_automated_backups_arn` (String) The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, ``arn:aws:rds:us-east-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE``. + This setting doesn't apply to RDS Custom. +- `source_db_instance_identifier` (String) If you want to create a read replica DB instance, specify the ID of the source DB instance. Each DB instance can have a limited number of read replicas. For more information, see [Working with Read Replicas](https://docs.aws.amazon.com/AmazonRDS/latest/DeveloperGuide/USER_ReadRepl.html) in the *Amazon RDS User Guide*. + For information about constraints that apply to DB instance identifiers, see [Naming constraints in Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html#RDS_Limits.Constraints) in the *Amazon RDS User Guide*. + The ``SourceDBInstanceIdentifier`` property determines whether a DB instance is a read replica. If you remove the ``SourceDBInstanceIdentifier`` property from your template and then update your stack, AWS CloudFormation promotes the Read Replica to a standalone DB instance. + + If you specify a source DB instance that uses VPC security groups, we recommend that you specify the ``VPCSecurityGroups`` property. If you don't specify the - `source_dbi_resource_id` (String) The resource ID of the source DB instance from which to restore. -- `source_region` (String) The ID of the region that contains the source DB instance for the Read Replica. +- `source_region` (String) The ID of the region that contains the source DB instance for the read replica. - `storage_encrypted` (Boolean) A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted. -- `storage_throughput` (Number) Specifies the storage throughput for the DB instance. + If you specify the ``KmsKeyId`` property, then you must enable encryption. + If you specify the ``SourceDBInstanceIdentifier`` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified ``KmsKeyId`` property is used. + If you specify the ``DBSnapshotIdentifier`` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified ``KmsKeyId`` property is used. + If you specify the ``DBSnapshotIdentifier`` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the ``KmsKeyId`` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to ``false``. + *Amazon Aurora* + Not applicable. The encrypt +- `storage_throughput` (Number) Specifies the storage throughput value for the DB instance. This setting applies only to the ``gp3`` storage type. + This setting doesn't apply to RDS Custom or Amazon Aurora. - `storage_type` (String) Specifies the storage type to be associated with the DB instance. -- `tags` (Attributes List) Tags to assign to the DB instance. (see [below for nested schema](#nestedatt--tags)) -- `tde_credential_arn` (String) The ARN from the key store with which to associate the instance for TDE encryption. -- `tde_credential_password` (String) The password for the given ARN from the key store in order to access the device. -- `timezone` (String) The time zone of the DB instance. The time zone parameter is currently supported only by Microsoft SQL Server. -- `use_default_processor_features` (Boolean) A value that indicates whether the DB instance class of the DB instance uses its default processor features. -- `use_latest_restorable_time` (Boolean) A value that indicates whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time. -- `vpc_security_groups` (List of String) A list of the VPC security group IDs to assign to the DB instance. The list can include both the physical IDs of existing VPC security groups and references to AWS::EC2::SecurityGroup resources created in the template. + Valid values: ``gp2 | gp3 | io1 | standard`` + The ``standard`` value is also known as magnetic. + If you specify ``io1`` or ``gp3``, you must also include a value for the ``Iops`` parameter. + Default: ``io1`` if the ``Iops`` parameter is specified, otherwise ``gp2`` + For more information, see [Amazon RDS DB Instance Storage](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html) in the *Amazon RDS User Guide*. + *Amazon Aurora* + Not applicable. Aurora data is stored in the cluster volume, which is a single, virtual volume that uses solid state drives (SSDs). +- `tags` (Attributes List) An optional array of key-value pairs to apply to this DB instance. (see [below for nested schema](#nestedatt--tags)) +- `tde_credential_arn` (String) +- `tde_credential_password` (String) +- `timezone` (String) The time zone of the DB instance. The time zone parameter is currently supported only by [Microsoft SQL Server](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.TimeZone). +- `use_default_processor_features` (Boolean) Specifies whether the DB instance class of the DB instance uses its default processor features. + This setting doesn't apply to RDS Custom DB instances. +- `use_latest_restorable_time` (Boolean) Specifies whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time. + Constraints: + + Can't be specified if the ``RestoreTime`` parameter is provided. +- `vpc_security_groups` (List of String) A list of the VPC security group IDs to assign to the DB instance. The list can include both the physical IDs of existing VPC security groups and references to [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) resources created in the template. + If you plan to update the resource, don't specify VPC security groups in a shared VPC. + If you set ``VPCSecurityGroups``, you must not set [DBSecurityGroups](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsecuritygroups), and vice versa. + You can migrate a DB instance in your stack from an RDS DB security group to a VPC security group, but keep the following in mind: + + You can't revert to using an RDS security group after you establish a VPC security group membership. + + When you migrate your DB instance to VPC security groups, if your stack update rolls back because the DB instanc ### Nested Schema for `associated_roles` Read-Only: -- `feature_name` (String) The name of the feature associated with the AWS Identity and Access Management (IAM) role. IAM roles that are associated with a DB instance grant permission for the DB instance to access other AWS services on your behalf. +- `feature_name` (String) The name of the feature associated with the AWS Identity and Access Management (IAM) role. IAM roles that are associated with a DB instance grant permission for the DB instance to access other AWS services on your behalf. For the list of supported feature names, see the ``SupportedFeatureNames`` description in [DBEngineVersion](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DBEngineVersion.html) in the *Amazon RDS API Reference*. - `role_arn` (String) The Amazon Resource Name (ARN) of the IAM role that is associated with the DB instance. @@ -133,7 +440,7 @@ Read-Only: Read-Only: - `ca_identifier` (String) The CA identifier of the CA certificate used for the DB instance's server certificate. -- `valid_till` (String) The expiration date of the DB instance’s server certificate. +- `valid_till` (String) The expiration date of the DB instance?s server certificate. @@ -160,7 +467,7 @@ Read-Only: Read-Only: -- `name` (String) The name of the processor feature. Valid names are coreCount and threadsPerCore. +- `name` (String) The name of the processor feature. Valid names are ``coreCount`` and ``threadsPerCore``. - `value` (String) The value of a processor feature name. @@ -169,5 +476,5 @@ Read-Only: Read-Only: -- `key` (String) The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. -- `value` (String) The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. +- `key` (String) A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with ``aws:`` or ``rds:``. The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$"). +- `value` (String) A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with ``aws:`` or ``rds:``. The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$"). diff --git a/docs/data-sources/rds_db_parameter_group.md b/docs/data-sources/rds_db_parameter_group.md index 12097113e9..7da6bb3c16 100644 --- a/docs/data-sources/rds_db_parameter_group.md +++ b/docs/data-sources/rds_db_parameter_group.md @@ -21,16 +21,33 @@ Data Source schema for AWS::RDS::DBParameterGroup ### Read-Only -- `db_parameter_group_name` (String) Specifies the name of the DB parameter group +- `db_parameter_group_name` (String) The name of the DB parameter group. + Constraints: + + Must be 1 to 255 letters, numbers, or hyphens. + + First character must be a letter + + Can't end with a hyphen or contain two consecutive hyphens + + If you don't specify a value for ``DBParameterGroupName`` property, a name is automatically created for the DB parameter group. + This value is stored as a lowercase string. - `description` (String) Provides the customer-specified description for this DB parameter group. -- `family` (String) The DB parameter group family name. -- `parameters` (String) An array of parameter names and values for the parameter update. -- `tags` (Attributes List) An array of key-value pairs to apply to this resource. (see [below for nested schema](#nestedatt--tags)) +- `family` (String) The DB parameter group family name. A DB parameter group can be associated with one and only one DB parameter group family, and can be applied only to a DB instance running a DB engine and engine version compatible with that DB parameter group family. + The DB parameter group family can't be changed when updating a DB parameter group. + To list all of the available parameter group families, use the following command: + ``aws rds describe-db-engine-versions --query "DBEngineVersions[].DBParameterGroupFamily"`` + The output contains duplicates. + For more information, see ``CreateDBParameterGroup``. +- `parameters` (String) An array of parameter names and values for the parameter update. At least one parameter name and value must be supplied. Subsequent arguments are optional. + RDS for Db2 requires you to bring your own Db2 license. You must enter your IBM customer ID (``rds.ibm_customer_id``) and site number (``rds.ibm_site_id``) before starting a Db2 instance. + For more information about DB parameters and DB parameter groups for Amazon RDS DB engines, see [Working with DB Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html) in the *Amazon RDS User Guide*. + For more information about DB cluster and DB instance parameters and parameter groups for Amazon Aurora DB engines, see [Working with DB Parameter Groups and DB Cluster Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) in the *Amazon Aurora User Guide*. + AWS CloudFormation doesn't support specifying an apply method for each individual +- `tags` (Attributes List) An optional array of key-value pairs to apply to this DB parameter group. + Currently, this is the only property that supports drift detection. (see [below for nested schema](#nestedatt--tags)) ### Nested Schema for `tags` Read-Only: -- `key` (String) The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. -- `value` (String) The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. +- `key` (String) A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with ``aws:`` or ``rds:``. The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$"). +- `value` (String) A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with ``aws:`` or ``rds:``. The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$"). diff --git a/docs/data-sources/rds_db_subnet_group.md b/docs/data-sources/rds_db_subnet_group.md index 93b0f29b0b..61e2a1f698 100644 --- a/docs/data-sources/rds_db_subnet_group.md +++ b/docs/data-sources/rds_db_subnet_group.md @@ -21,15 +21,17 @@ Data Source schema for AWS::RDS::DBSubnetGroup ### Read-Only -- `db_subnet_group_description` (String) -- `db_subnet_group_name` (String) -- `subnet_ids` (List of String) -- `tags` (Attributes List) An array of key-value pairs to apply to this resource. (see [below for nested schema](#nestedatt--tags)) +- `db_subnet_group_description` (String) The description for the DB subnet group. +- `db_subnet_group_name` (String) The name for the DB subnet group. This value is stored as a lowercase string. + Constraints: Must contain no more than 255 lowercase alphanumeric characters or hyphens. Must not be "Default". + Example: ``mysubnetgroup`` +- `subnet_ids` (List of String) The EC2 Subnet IDs for the DB subnet group. +- `tags` (Attributes List) An optional array of key-value pairs to apply to this DB subnet group. (see [below for nested schema](#nestedatt--tags)) ### Nested Schema for `tags` Read-Only: -- `key` (String) The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. -- `value` (String) The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. +- `key` (String) A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with ``aws:`` or ``rds:``. The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$"). +- `value` (String) A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with ``aws:`` or ``rds:``. The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$"). diff --git a/docs/data-sources/s3_bucket.md b/docs/data-sources/s3_bucket.md index fbe4adb283..519f51e836 100644 --- a/docs/data-sources/s3_bucket.md +++ b/docs/data-sources/s3_bucket.md @@ -21,30 +21,39 @@ Data Source schema for AWS::S3::Bucket ### Read-Only -- `accelerate_configuration` (Attributes) Configuration for the transfer acceleration state. (see [below for nested schema](#nestedatt--accelerate_configuration)) -- `access_control` (String) A canned access control list (ACL) that grants predefined permissions to the bucket. -- `analytics_configurations` (Attributes List) The configuration and any analyses for the analytics filter of an Amazon S3 bucket. (see [below for nested schema](#nestedatt--analytics_configurations)) +- `accelerate_configuration` (Attributes) Configures the transfer acceleration state for an Amazon S3 bucket. For more information, see [Amazon S3 Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html) in the *Amazon S3 User Guide*. (see [below for nested schema](#nestedatt--accelerate_configuration)) +- `access_control` (String) This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see [Controlling object ownership](https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide*. + A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide*. + S3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the [AWS::S3::OwnershipControls](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html) property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon. + The majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see [AWS::S3::BucketPolicy](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html). For examples of common policy configurations, including S3 Server Access Logs buckets and more, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) in the *Amazon S3 User Guide*. +- `analytics_configurations` (Attributes List) Specifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket. (see [below for nested schema](#nestedatt--analytics_configurations)) - `arn` (String) The Amazon Resource Name (ARN) of the specified bucket. -- `bucket_encryption` (Attributes) Specifies default encryption for a bucket using server-side encryption with either Amazon S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS). (see [below for nested schema](#nestedatt--bucket_encryption)) -- `bucket_name` (String) A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the bucket name. -- `cors_configuration` (Attributes) Rules that define cross-origin resource sharing of objects in this bucket. (see [below for nested schema](#nestedatt--cors_configuration)) +- `bucket_encryption` (Attributes) Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3), AWS KMS-managed keys (SSE-KMS), or dual-layer server-side encryption with KMS-managed keys (DSSE-KMS). For information about the Amazon S3 default encryption feature, see [Amazon S3 Default Encryption for S3 Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html) in the *Amazon S3 User Guide*. (see [below for nested schema](#nestedatt--bucket_encryption)) +- `bucket_name` (String) A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow [Amazon S3 bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html). For more information, see [Rules for naming Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html#bucketnamingrules) in the *Amazon S3 User Guide*. + If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name. +- `cors_configuration` (Attributes) Describes the cross-origin access configuration for objects in an Amazon S3 bucket. For more information, see [Enabling Cross-Origin Resource Sharing](https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html) in the *Amazon S3 User Guide*. (see [below for nested schema](#nestedatt--cors_configuration)) - `domain_name` (String) The IPv4 DNS name of the specified bucket. - `dual_stack_domain_name` (String) The IPv6 DNS name of the specified bucket. For more information about dual-stack endpoints, see [Using Amazon S3 Dual-Stack Endpoints](https://docs.aws.amazon.com/AmazonS3/latest/dev/dual-stack-endpoints.html). -- `intelligent_tiering_configurations` (Attributes List) Specifies the S3 Intelligent-Tiering configuration for an Amazon S3 bucket. (see [below for nested schema](#nestedatt--intelligent_tiering_configurations)) -- `inventory_configurations` (Attributes List) The inventory configuration for an Amazon S3 bucket. (see [below for nested schema](#nestedatt--inventory_configurations)) -- `lifecycle_configuration` (Attributes) Rules that define how Amazon S3 manages objects during their lifetime. (see [below for nested schema](#nestedatt--lifecycle_configuration)) +- `intelligent_tiering_configurations` (Attributes List) Defines how Amazon S3 handles Intelligent-Tiering storage. (see [below for nested schema](#nestedatt--intelligent_tiering_configurations)) +- `inventory_configurations` (Attributes List) Specifies the inventory configuration for an Amazon S3 bucket. For more information, see [GET Bucket inventory](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html) in the *Amazon S3 API Reference*. (see [below for nested schema](#nestedatt--inventory_configurations)) +- `lifecycle_configuration` (Attributes) Specifies the lifecycle configuration for objects in an Amazon S3 bucket. For more information, see [Object Lifecycle Management](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide*. (see [below for nested schema](#nestedatt--lifecycle_configuration)) - `logging_configuration` (Attributes) Settings that define where logs are stored. (see [below for nested schema](#nestedatt--logging_configuration)) -- `metrics_configurations` (Attributes List) Settings that define a metrics configuration for the CloudWatch request metrics from the bucket. (see [below for nested schema](#nestedatt--metrics_configurations)) +- `metrics_configurations` (Attributes List) Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see [PutBucketMetricsConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html). (see [below for nested schema](#nestedatt--metrics_configurations)) - `notification_configuration` (Attributes) Configuration that defines how Amazon S3 handles bucket notifications. (see [below for nested schema](#nestedatt--notification_configuration)) -- `object_lock_configuration` (Attributes) Places an Object Lock configuration on the specified bucket. (see [below for nested schema](#nestedatt--object_lock_configuration)) -- `object_lock_enabled` (Boolean) Indicates whether this bucket has an Object Lock configuration enabled. -- `ownership_controls` (Attributes) Specifies the container element for object ownership rules. (see [below for nested schema](#nestedatt--ownership_controls)) +- `object_lock_configuration` (Attributes) This operation is not supported by directory buckets. + Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html). + + The ``DefaultRetention`` settings require both a mode and a period. + + The ``DefaultRetention`` period can be either ``Days`` or ``Years`` but you must select one. You cannot specify ``Days`` and ``Years`` at the same time. + + You can enable Object Lock for new or existing buckets. For more information, see [Configuring Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html). (see [below for nested schema](#nestedatt--object_lock_configuration)) +- `object_lock_enabled` (Boolean) Indicates whether this bucket has an Object Lock configuration enabled. Enable ``ObjectLockEnabled`` when you apply ``ObjectLockConfiguration`` to a bucket. +- `ownership_controls` (Attributes) Configuration that defines how Amazon S3 handles Object Ownership rules. (see [below for nested schema](#nestedatt--ownership_controls)) - `public_access_block_configuration` (Attributes) Configuration that defines how Amazon S3 handles public access. (see [below for nested schema](#nestedatt--public_access_block_configuration)) - `regional_domain_name` (String) Returns the regional domain name of the specified bucket. -- `replication_configuration` (Attributes) Configuration for replicating objects in an S3 bucket. (see [below for nested schema](#nestedatt--replication_configuration)) +- `replication_configuration` (Attributes) Configuration for replicating objects in an S3 bucket. To enable replication, you must also enable versioning by using the ``VersioningConfiguration`` property. + Amazon S3 can store replicated objects in a single destination bucket or multiple destination buckets. The destination bucket or buckets must already exist. (see [below for nested schema](#nestedatt--replication_configuration)) - `tags` (Attributes List) An arbitrary set of tags (key-value pairs) for this S3 bucket. (see [below for nested schema](#nestedatt--tags)) -- `versioning_configuration` (Attributes) Describes the versioning state of an Amazon S3 bucket. (see [below for nested schema](#nestedatt--versioning_configuration)) -- `website_configuration` (Attributes) Specifies website configuration parameters for an Amazon S3 bucket. (see [below for nested schema](#nestedatt--website_configuration)) +- `versioning_configuration` (Attributes) Enables multiple versions of all objects in this bucket. You might enable versioning to prevent objects from being deleted or overwritten by mistake or to archive objects so that you can retrieve previous versions of them. (see [below for nested schema](#nestedatt--versioning_configuration)) +- `website_configuration` (Attributes) Information used to configure the bucket as a static website. For more information, see [Hosting Websites on Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html). (see [below for nested schema](#nestedatt--website_configuration)) - `website_url` (String) The Amazon S3 website endpoint for the specified bucket. @@ -52,7 +61,7 @@ Data Source schema for AWS::S3::Bucket Read-Only: -- `acceleration_status` (String) Configures the transfer acceleration state for an Amazon S3 bucket. +- `acceleration_status` (String) Specifies the transfer acceleration status of the bucket. @@ -62,8 +71,9 @@ Read-Only: - `id` (String) The ID that identifies the analytics configuration. - `prefix` (String) The prefix that an object must have to be included in the analytics results. -- `storage_class_analysis` (Attributes) Specifies data related to access patterns to be collected and made available to analyze the tradeoffs between different storage classes for an Amazon S3 bucket. (see [below for nested schema](#nestedatt--analytics_configurations--storage_class_analysis)) -- `tag_filters` (Attributes List) (see [below for nested schema](#nestedatt--analytics_configurations--tag_filters)) +- `storage_class_analysis` (Attributes) Contains data related to access patterns to be collected and made available to analyze the tradeoffs between different storage classes. (see [below for nested schema](#nestedatt--analytics_configurations--storage_class_analysis)) +- `tag_filters` (Attributes List) The tags to use when evaluating an analytics filter. + The analytics only includes objects that meet the filter's criteria. If no filter is specified, all of the contents of the bucket are included in the analysis. (see [below for nested schema](#nestedatt--analytics_configurations--tag_filters)) ### Nested Schema for `analytics_configurations.storage_class_analysis` @@ -77,17 +87,19 @@ Read-Only: Read-Only: -- `destination` (Attributes) Specifies information about where to publish analysis or configuration results for an Amazon S3 bucket and S3 Replication Time Control (S3 RTC). (see [below for nested schema](#nestedatt--analytics_configurations--storage_class_analysis--data_export--destination)) -- `output_schema_version` (String) The version of the output schema to use when exporting data. +- `destination` (Attributes) The place to store the data for an analysis. (see [below for nested schema](#nestedatt--analytics_configurations--storage_class_analysis--data_export--destination)) +- `output_schema_version` (String) The version of the output schema to use when exporting data. Must be ``V_1``. ### Nested Schema for `analytics_configurations.storage_class_analysis.data_export.output_schema_version` Read-Only: -- `bucket_account_id` (String) The account ID that owns the destination S3 bucket. +- `bucket_account_id` (String) The account ID that owns the destination S3 bucket. If no account ID is provided, the owner is not validated before exporting data. + Although this value is optional, we strongly recommend that you set it to help prevent problems if the destination bucket ownership changes. - `bucket_arn` (String) The Amazon Resource Name (ARN) of the bucket to which data is exported. - `format` (String) Specifies the file format used when exporting data to Amazon S3. + *Allowed values*: ``CSV`` | ``ORC`` | ``Parquet`` - `prefix` (String) The prefix to use when exporting data. The prefix is prepended to all results. @@ -98,8 +110,8 @@ Read-Only: Read-Only: -- `key` (String) -- `value` (String) +- `key` (String) The tag key. +- `value` (String) The tag value. @@ -115,7 +127,8 @@ Read-Only: Read-Only: -- `bucket_key_enabled` (Boolean) Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket. Existing objects are not affected. Setting the BucketKeyEnabled element to true causes Amazon S3 to use an S3 Bucket Key. By default, S3 Bucket Key is not enabled. +- `bucket_key_enabled` (Boolean) Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket. Existing objects are not affected. Setting the ``BucketKeyEnabled`` element to ``true`` causes Amazon S3 to use an S3 Bucket Key. By default, S3 Bucket Key is not enabled. + For more information, see [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) in the *Amazon S3 User Guide*. - `server_side_encryption_by_default` (Attributes) Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. (see [below for nested schema](#nestedatt--bucket_encryption--server_side_encryption_configuration--server_side_encryption_by_default)) @@ -123,8 +136,16 @@ Read-Only: Read-Only: -- `kms_master_key_id` (String) "KMSMasterKeyID" can only be used when you set the value of SSEAlgorithm as aws:kms or aws:kms:dsse. -- `sse_algorithm` (String) +- `kms_master_key_id` (String) AWS Key Management Service (KMS) customer AWS KMS key ID to use for the default encryption. This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms`` or ``aws:kms:dsse``. + You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key. + + Key ID: ``1234abcd-12ab-34cd-56ef-1234567890ab`` + + Key ARN: ``arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`` + + Key Alias: ``alias/alias-name`` + + If you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log. + If you are using encryption with cross-account or AWS service operations you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy). + Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *Key Management Service Developer Guide*. +- `sse_algorithm` (String) Server-side encryption algorithm to use for the default encryption. @@ -134,18 +155,19 @@ Read-Only: Read-Only: -- `cors_rules` (Attributes List) (see [below for nested schema](#nestedatt--cors_configuration--cors_rules)) +- `cors_rules` (Attributes List) A set of origins and methods (cross-origin access that you want to allow). You can add up to 100 rules to the configuration. (see [below for nested schema](#nestedatt--cors_configuration--cors_rules)) ### Nested Schema for `cors_configuration.cors_rules` Read-Only: -- `allowed_headers` (List of String) Headers that are specified in the Access-Control-Request-Headers header. -- `allowed_methods` (List of String) An HTTP method that you allow the origin to execute. +- `allowed_headers` (List of String) Headers that are specified in the ``Access-Control-Request-Headers`` header. These headers are allowed in a preflight OPTIONS request. In response to any preflight OPTIONS request, Amazon S3 returns any requested headers that are allowed. +- `allowed_methods` (List of String) An HTTP method that you allow the origin to run. + *Allowed values*: ``GET`` | ``PUT`` | ``HEAD`` | ``POST`` | ``DELETE`` - `allowed_origins` (List of String) One or more origins you want customers to be able to access the bucket from. -- `exposed_headers` (List of String) One or more headers in the response that you want customers to be able to access from their applications (for example, from a JavaScript XMLHttpRequest object). -- `id` (String) A unique identifier for this rule. +- `exposed_headers` (List of String) One or more headers in the response that you want customers to be able to access from their applications (for example, from a JavaScript ``XMLHttpRequest`` object). +- `id` (String) A unique identifier for this rule. The value must be no more than 255 characters. - `max_age` (Number) The time in seconds that your browser is to cache the preflight response for the specified resource. @@ -159,15 +181,16 @@ Read-Only: - `prefix` (String) An object key name prefix that identifies the subset of objects to which the rule applies. - `status` (String) Specifies the status of the configuration. - `tag_filters` (Attributes List) A container for a key-value pair. (see [below for nested schema](#nestedatt--intelligent_tiering_configurations--tag_filters)) -- `tierings` (Attributes List) Specifies a list of S3 Intelligent-Tiering storage class tiers in the configuration. At least one tier must be defined in the list. At most, you can specify two tiers in the list, one for each available AccessTier: ARCHIVE_ACCESS and DEEP_ARCHIVE_ACCESS. (see [below for nested schema](#nestedatt--intelligent_tiering_configurations--tierings)) +- `tierings` (Attributes List) Specifies a list of S3 Intelligent-Tiering storage class tiers in the configuration. At least one tier must be defined in the list. At most, you can specify two tiers in the list, one for each available AccessTier: ``ARCHIVE_ACCESS`` and ``DEEP_ARCHIVE_ACCESS``. + You only need Intelligent Tiering Configuration enabled on a bucket if you want to automatically move objects stored in the Intelligent-Tiering storage class to Archive Access or Deep Archive Access tiers. (see [below for nested schema](#nestedatt--intelligent_tiering_configurations--tierings)) ### Nested Schema for `intelligent_tiering_configurations.tag_filters` Read-Only: -- `key` (String) -- `value` (String) +- `key` (String) The tag key. +- `value` (String) The tag value. @@ -175,7 +198,7 @@ Read-Only: Read-Only: -- `access_tier` (String) S3 Intelligent-Tiering access tier. See Storage class for automatically optimizing frequently and infrequently accessed objects for a list of access tiers in the S3 Intelligent-Tiering storage class. +- `access_tier` (String) S3 Intelligent-Tiering access tier. See [Storage class for automatically optimizing frequently and infrequently accessed objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html#sc-dynamic-data-access) for a list of access tiers in the S3 Intelligent-Tiering storage class. - `days` (Number) The number of consecutive days of no access after which an object will be eligible to be transitioned to the corresponding tier. The minimum number of days specified for Archive Access tier must be at least 90 days and Deep Archive Access tier must be at least 180 days. The maximum can be up to 2 years (730 days). @@ -185,12 +208,12 @@ Read-Only: Read-Only: -- `destination` (Attributes) Specifies information about where to publish analysis or configuration results for an Amazon S3 bucket and S3 Replication Time Control (S3 RTC). (see [below for nested schema](#nestedatt--inventory_configurations--destination)) -- `enabled` (Boolean) Specifies whether the inventory is enabled or disabled. +- `destination` (Attributes) Contains information about where to publish the inventory results. (see [below for nested schema](#nestedatt--inventory_configurations--destination)) +- `enabled` (Boolean) Specifies whether the inventory is enabled or disabled. If set to ``True``, an inventory list is generated. If set to ``False``, no inventory list is generated. - `id` (String) The ID used to identify the inventory configuration. -- `included_object_versions` (String) Object versions to include in the inventory list. +- `included_object_versions` (String) Object versions to include in the inventory list. If set to ``All``, the list includes all the object versions, which adds the version-related fields ``VersionId``, ``IsLatest``, and ``DeleteMarker`` to the list. If set to ``Current``, the list does not contain these version-related fields. - `optional_fields` (List of String) Contains the optional fields that are included in the inventory results. -- `prefix` (String) The prefix that is prepended to all inventory results. +- `prefix` (String) Specifies the inventory filter prefix. - `schedule_frequency` (String) Specifies the schedule for generating inventory results. @@ -198,9 +221,11 @@ Read-Only: Read-Only: -- `bucket_account_id` (String) The account ID that owns the destination S3 bucket. +- `bucket_account_id` (String) The account ID that owns the destination S3 bucket. If no account ID is provided, the owner is not validated before exporting data. + Although this value is optional, we strongly recommend that you set it to help prevent problems if the destination bucket ownership changes. - `bucket_arn` (String) The Amazon Resource Name (ARN) of the bucket to which data is exported. - `format` (String) Specifies the file format used when exporting data to Amazon S3. + *Allowed values*: ``CSV`` | ``ORC`` | ``Parquet`` - `prefix` (String) The prefix to use when exporting data. The prefix is prepended to all results. @@ -217,29 +242,30 @@ Read-Only: Read-Only: -- `abort_incomplete_multipart_upload` (Attributes) Specifies the days since the initiation of an incomplete multipart upload that Amazon S3 will wait before permanently removing all parts of the upload. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--abort_incomplete_multipart_upload)) -- `expiration_date` (String) The date value in ISO 8601 format. The timezone is always UTC. (YYYY-MM-DDThh:mm:ssZ) -- `expiration_in_days` (Number) -- `expired_object_delete_marker` (Boolean) -- `id` (String) -- `noncurrent_version_expiration` (Attributes) Container for the expiration rule that describes when noncurrent objects are expired. If your bucket is versioning-enabled (or versioning is suspended), you can set this action to request that Amazon S3 expire noncurrent object versions at a specific period in the object's lifetime (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--noncurrent_version_expiration)) -- `noncurrent_version_expiration_in_days` (Number) -- `noncurrent_version_transition` (Attributes) Container for the transition rule that describes when noncurrent objects transition to the STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER_IR, GLACIER, or DEEP_ARCHIVE storage class. If your bucket is versioning-enabled (or versioning is suspended), you can set this action to request that Amazon S3 transition noncurrent object versions to the STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER_IR, GLACIER, or DEEP_ARCHIVE storage class at a specific period in the object's lifetime. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--noncurrent_version_transition)) -- `noncurrent_version_transitions` (Attributes List) (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--noncurrent_version_transitions)) -- `object_size_greater_than` (String) -- `object_size_less_than` (String) -- `prefix` (String) -- `status` (String) -- `tag_filters` (Attributes List) (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--tag_filters)) -- `transition` (Attributes) You must specify at least one of "TransitionDate" and "TransitionInDays" (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--transition)) -- `transitions` (Attributes List) (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--transitions)) +- `abort_incomplete_multipart_upload` (Attributes) Specifies a lifecycle rule that stops incomplete multipart uploads to an Amazon S3 bucket. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--abort_incomplete_multipart_upload)) +- `expiration_date` (String) Indicates when objects are deleted from Amazon S3 and Amazon S3 Glacier. The date value must be in ISO 8601 format. The time is always midnight UTC. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. +- `expiration_in_days` (Number) Indicates the number of days after creation when objects are deleted from Amazon S3 and Amazon S3 Glacier. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. +- `expired_object_delete_marker` (Boolean) Indicates whether Amazon S3 will remove a delete marker without any noncurrent versions. If set to true, the delete marker will be removed if there are no noncurrent versions. This cannot be specified with ``ExpirationInDays``, ``ExpirationDate``, or ``TagFilters``. +- `id` (String) Unique identifier for the rule. The value can't be longer than 255 characters. +- `noncurrent_version_expiration` (Attributes) Specifies when noncurrent object versions expire. Upon expiration, S3 permanently deletes the noncurrent object versions. You set this lifecycle configuration action on a bucket that has versioning enabled (or suspended) to request that S3 delete noncurrent object versions at a specific period in the object's lifetime. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--noncurrent_version_expiration)) +- `noncurrent_version_expiration_in_days` (Number) (Deprecated.) For buckets with versioning enabled (or suspended), specifies the time, in days, between when a new version of the object is uploaded to the bucket and when old versions of the object expire. When object versions expire, Amazon S3 permanently deletes them. If you specify a transition and expiration time, the expiration time must be later than the transition time. +- `noncurrent_version_transition` (Attributes) (Deprecated.) For buckets with versioning enabled (or suspended), specifies when non-current objects transition to a specified storage class. If you specify a transition and expiration time, the expiration time must be later than the transition time. If you specify this property, don't specify the ``NoncurrentVersionTransitions`` property. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--noncurrent_version_transition)) +- `noncurrent_version_transitions` (Attributes List) For buckets with versioning enabled (or suspended), one or more transition rules that specify when non-current objects transition to a specified storage class. If you specify a transition and expiration time, the expiration time must be later than the transition time. If you specify this property, don't specify the ``NoncurrentVersionTransition`` property. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--noncurrent_version_transitions)) +- `object_size_greater_than` (String) Specifies the minimum object size in bytes for this rule to apply to. Objects must be larger than this value in bytes. For more information about size based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide*. +- `object_size_less_than` (String) Specifies the maximum object size in bytes for this rule to apply to. Objects must be smaller than this value in bytes. For more information about sized based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide*. +- `prefix` (String) Object key prefix that identifies one or more objects to which this rule applies. + Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). +- `status` (String) If ``Enabled``, the rule is currently being applied. If ``Disabled``, the rule is not currently being applied. +- `tag_filters` (Attributes List) Tags to use to identify a subset of objects to which the lifecycle rule applies. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--tag_filters)) +- `transition` (Attributes) (Deprecated.) Specifies when an object transitions to a specified storage class. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. If you specify this property, don't specify the ``Transitions`` property. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--transition)) +- `transitions` (Attributes List) One or more transition rules that specify when an object transitions to a specified storage class. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. If you specify this property, don't specify the ``Transition`` property. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--transitions)) ### Nested Schema for `lifecycle_configuration.rules.abort_incomplete_multipart_upload` Read-Only: -- `days_after_initiation` (Number) Specifies the number of days after which Amazon S3 aborts an incomplete multipart upload. +- `days_after_initiation` (Number) Specifies the number of days after which Amazon S3 stops an incomplete multipart upload. @@ -247,8 +273,8 @@ Read-Only: Read-Only: -- `newer_noncurrent_versions` (Number) Specified the number of newer noncurrent and current versions that must exists before performing the associated action -- `noncurrent_days` (Number) Specified the number of days an object is noncurrent before Amazon S3 can perform the associated action +- `newer_noncurrent_versions` (Number) Specifies how many noncurrent versions S3 will retain. If there are this many more recent noncurrent versions, S3 will take the associated action. For more information about noncurrent versions, see [Lifecycle configuration elements](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intro-lifecycle-rules.html) in the *Amazon S3 User Guide*. +- `noncurrent_days` (Number) Specifies the number of days an object is noncurrent before S3 can perform the associated action. For information about the noncurrent days calculations, see [How Amazon S3 Calculates When an Object Became Noncurrent](https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html#non-current-days-calculations) in the *Amazon S3 User Guide*. @@ -256,9 +282,9 @@ Read-Only: Read-Only: -- `newer_noncurrent_versions` (Number) Specified the number of newer noncurrent and current versions that must exists before performing the associated action +- `newer_noncurrent_versions` (Number) Specifies how many noncurrent versions S3 will retain. If there are this many more recent noncurrent versions, S3 will take the associated action. For more information about noncurrent versions, see [Lifecycle configuration elements](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intro-lifecycle-rules.html) in the *Amazon S3 User Guide*. - `storage_class` (String) The class of storage used to store the object. -- `transition_in_days` (Number) Specifies the number of days an object is noncurrent before Amazon S3 can perform the associated action. +- `transition_in_days` (Number) Specifies the number of days an object is noncurrent before Amazon S3 can perform the associated action. For information about the noncurrent days calculations, see [How Amazon S3 Calculates How Long an Object Has Been Noncurrent](https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html#non-current-days-calculations) in the *Amazon S3 User Guide*. @@ -266,9 +292,9 @@ Read-Only: Read-Only: -- `newer_noncurrent_versions` (Number) Specified the number of newer noncurrent and current versions that must exists before performing the associated action +- `newer_noncurrent_versions` (Number) Specifies how many noncurrent versions S3 will retain. If there are this many more recent noncurrent versions, S3 will take the associated action. For more information about noncurrent versions, see [Lifecycle configuration elements](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intro-lifecycle-rules.html) in the *Amazon S3 User Guide*. - `storage_class` (String) The class of storage used to store the object. -- `transition_in_days` (Number) Specifies the number of days an object is noncurrent before Amazon S3 can perform the associated action. +- `transition_in_days` (Number) Specifies the number of days an object is noncurrent before Amazon S3 can perform the associated action. For information about the noncurrent days calculations, see [How Amazon S3 Calculates How Long an Object Has Been Noncurrent](https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html#non-current-days-calculations) in the *Amazon S3 User Guide*. @@ -276,8 +302,8 @@ Read-Only: Read-Only: -- `key` (String) -- `value` (String) +- `key` (String) The tag key. +- `value` (String) The tag value. @@ -285,9 +311,9 @@ Read-Only: Read-Only: -- `storage_class` (String) -- `transition_date` (String) The date value in ISO 8601 format. The timezone is always UTC. (YYYY-MM-DDThh:mm:ssZ) -- `transition_in_days` (Number) +- `storage_class` (String) The storage class to which you want the object to transition. +- `transition_date` (String) Indicates when objects are transitioned to the specified storage class. The date value must be in ISO 8601 format. The time is always midnight UTC. +- `transition_in_days` (Number) Indicates the number of days after creation when objects are transitioned to the specified storage class. The value must be a positive integer. @@ -295,9 +321,9 @@ Read-Only: Read-Only: -- `storage_class` (String) -- `transition_date` (String) The date value in ISO 8601 format. The timezone is always UTC. (YYYY-MM-DDThh:mm:ssZ) -- `transition_in_days` (Number) +- `storage_class` (String) The storage class to which you want the object to transition. +- `transition_date` (String) Indicates when objects are transitioned to the specified storage class. The date value must be in ISO 8601 format. The time is always midnight UTC. +- `transition_in_days` (Number) Indicates the number of days after creation when objects are transitioned to the specified storage class. The value must be a positive integer. @@ -307,16 +333,18 @@ Read-Only: Read-Only: -- `destination_bucket_name` (String) The name of an Amazon S3 bucket where Amazon S3 store server access log files. You can store log files in any bucket that you own. By default, logs are stored in the bucket where the LoggingConfiguration property is defined. -- `log_file_prefix` (String) -- `target_object_key_format` (Attributes) Describes the key format for server access log file in the target bucket. You can choose between SimplePrefix and PartitionedPrefix. (see [below for nested schema](#nestedatt--logging_configuration--target_object_key_format)) +- `destination_bucket_name` (String) The name of the bucket where Amazon S3 should store server access log files. You can store log files in any bucket that you own. By default, logs are stored in the bucket where the ``LoggingConfiguration`` property is defined. +- `log_file_prefix` (String) A prefix for all log object keys. If you store log files from multiple Amazon S3 buckets in a single bucket, you can use a prefix to distinguish which log files came from which bucket. +- `target_object_key_format` (Attributes) Amazon S3 key format for log objects. Only one format, either PartitionedPrefix or SimplePrefix, is allowed. (see [below for nested schema](#nestedatt--logging_configuration--target_object_key_format)) ### Nested Schema for `logging_configuration.target_object_key_format` Read-Only: -- `partitioned_prefix` (Attributes) This format appends a time based prefix to the given log file prefix for delivering server access log file. (see [below for nested schema](#nestedatt--logging_configuration--target_object_key_format--partitioned_prefix)) +- `partitioned_prefix` (Attributes) Amazon S3 keys for log objects are partitioned in the following format: + ``[DestinationPrefix][SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]`` + PartitionedPrefix defaults to EventTime delivery when server access logs are delivered. (see [below for nested schema](#nestedatt--logging_configuration--target_object_key_format--partitioned_prefix)) - `simple_prefix` (String) This format defaults the prefix to the given log file prefix for delivering server access log file. @@ -324,7 +352,7 @@ Read-Only: Read-Only: -- `partition_date_source` (String) Date Source for creating a partitioned prefix. This can be event time or delivery time. +- `partition_date_source` (String) Specifies the partition date source for the partitioned prefix. PartitionDateSource can be EventTime or DeliveryTime. @@ -334,18 +362,18 @@ Read-Only: Read-Only: -- `access_point_arn` (String) -- `id` (String) -- `prefix` (String) -- `tag_filters` (Attributes List) (see [below for nested schema](#nestedatt--metrics_configurations--tag_filters)) +- `access_point_arn` (String) The access point that was used while performing operations on the object. The metrics configuration only includes objects that meet the filter's criteria. +- `id` (String) The ID used to identify the metrics configuration. This can be any value you choose that helps you identify your metrics configuration. +- `prefix` (String) The prefix that an object must have to be included in the metrics results. +- `tag_filters` (Attributes List) Specifies a list of tag filters to use as a metrics configuration filter. The metrics configuration includes only objects that meet the filter's criteria. (see [below for nested schema](#nestedatt--metrics_configurations--tag_filters)) ### Nested Schema for `metrics_configurations.tag_filters` Read-Only: -- `key` (String) -- `value` (String) +- `key` (String) The tag key. +- `value` (String) The tag value. @@ -354,17 +382,17 @@ Read-Only: Read-Only: -- `event_bridge_configuration` (Attributes) Describes the Amazon EventBridge notification configuration for an Amazon S3 bucket. (see [below for nested schema](#nestedatt--notification_configuration--event_bridge_configuration)) -- `lambda_configurations` (Attributes List) (see [below for nested schema](#nestedatt--notification_configuration--lambda_configurations)) -- `queue_configurations` (Attributes List) (see [below for nested schema](#nestedatt--notification_configuration--queue_configurations)) -- `topic_configurations` (Attributes List) (see [below for nested schema](#nestedatt--notification_configuration--topic_configurations)) +- `event_bridge_configuration` (Attributes) Enables delivery of events to Amazon EventBridge. (see [below for nested schema](#nestedatt--notification_configuration--event_bridge_configuration)) +- `lambda_configurations` (Attributes List) Describes the LAMlong functions to invoke and the events for which to invoke them. (see [below for nested schema](#nestedatt--notification_configuration--lambda_configurations)) +- `queue_configurations` (Attributes List) The Amazon Simple Queue Service queues to publish messages to and the events for which to publish messages. (see [below for nested schema](#nestedatt--notification_configuration--queue_configurations)) +- `topic_configurations` (Attributes List) The topic to which notifications are sent and the events for which notifications are generated. (see [below for nested schema](#nestedatt--notification_configuration--topic_configurations)) ### Nested Schema for `notification_configuration.event_bridge_configuration` Read-Only: -- `event_bridge_enabled` (Boolean) Specifies whether to send notifications to Amazon EventBridge when events occur in an Amazon S3 bucket. +- `event_bridge_enabled` (Boolean) Enables delivery of events to Amazon EventBridge. @@ -372,9 +400,9 @@ Read-Only: Read-Only: -- `event` (String) The Amazon S3 bucket event for which to invoke the AWS Lambda function. -- `filter` (Attributes) The filtering rules that determine which objects invoke the AWS Lambda function. (see [below for nested schema](#nestedatt--notification_configuration--lambda_configurations--filter)) -- `function` (String) The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon S3 invokes when the specified event type occurs. +- `event` (String) The Amazon S3 bucket event for which to invoke the LAMlong function. For more information, see [Supported Event Types](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. +- `filter` (Attributes) The filtering rules that determine which objects invoke the AWS Lambda function. For example, you can create a filter so that only image files with a ``.jpg`` extension invoke the function when they are added to the Amazon S3 bucket. (see [below for nested schema](#nestedatt--notification_configuration--lambda_configurations--filter)) +- `function` (String) The Amazon Resource Name (ARN) of the LAMlong function that Amazon S3 invokes when the specified event type occurs. ### Nested Schema for `notification_configuration.lambda_configurations.filter` @@ -388,15 +416,15 @@ Read-Only: Read-Only: -- `rules` (Attributes List) (see [below for nested schema](#nestedatt--notification_configuration--lambda_configurations--filter--s3_key--rules)) +- `rules` (Attributes List) A list of containers for the key-value pair that defines the criteria for the filter rule. (see [below for nested schema](#nestedatt--notification_configuration--lambda_configurations--filter--s3_key--rules)) ### Nested Schema for `notification_configuration.lambda_configurations.filter.s3_key.rules` Read-Only: -- `name` (String) -- `value` (String) +- `name` (String) The object key name prefix or suffix identifying one or more objects to which the filtering rule applies. The maximum length is 1,024 characters. Overlapping prefixes and suffixes are not supported. For more information, see [Configuring Event Notifications](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. +- `value` (String) The value that the filter searches for in object key names. @@ -407,9 +435,9 @@ Read-Only: Read-Only: -- `event` (String) The Amazon S3 bucket event about which you want to publish messages to Amazon SQS. -- `filter` (Attributes) The filtering rules that determine which objects trigger notifications. (see [below for nested schema](#nestedatt--notification_configuration--queue_configurations--filter)) -- `queue` (String) The Amazon Resource Name (ARN) of the Amazon SQS queue to which Amazon S3 publishes a message when it detects events of the specified type. +- `event` (String) The Amazon S3 bucket event about which you want to publish messages to Amazon SQS. For more information, see [Supported Event Types](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. +- `filter` (Attributes) The filtering rules that determine which objects trigger notifications. For example, you can create a filter so that Amazon S3 sends notifications only when image files with a ``.jpg`` extension are added to the bucket. For more information, see [Configuring event notifications using object key name filtering](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/notification-how-to-filtering.html) in the *Amazon S3 User Guide*. (see [below for nested schema](#nestedatt--notification_configuration--queue_configurations--filter)) +- `queue` (String) The Amazon Resource Name (ARN) of the Amazon SQS queue to which Amazon S3 publishes a message when it detects events of the specified type. FIFO queues are not allowed when enabling an SQS queue as the event notification destination. ### Nested Schema for `notification_configuration.queue_configurations.filter` @@ -423,15 +451,15 @@ Read-Only: Read-Only: -- `rules` (Attributes List) (see [below for nested schema](#nestedatt--notification_configuration--queue_configurations--filter--s3_key--rules)) +- `rules` (Attributes List) A list of containers for the key-value pair that defines the criteria for the filter rule. (see [below for nested schema](#nestedatt--notification_configuration--queue_configurations--filter--s3_key--rules)) ### Nested Schema for `notification_configuration.queue_configurations.filter.s3_key.rules` Read-Only: -- `name` (String) -- `value` (String) +- `name` (String) The object key name prefix or suffix identifying one or more objects to which the filtering rule applies. The maximum length is 1,024 characters. Overlapping prefixes and suffixes are not supported. For more information, see [Configuring Event Notifications](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. +- `value` (String) The value that the filter searches for in object key names. @@ -442,8 +470,8 @@ Read-Only: Read-Only: -- `event` (String) The Amazon S3 bucket event about which to send notifications. -- `filter` (Attributes) The filtering rules that determine for which objects to send notifications. (see [below for nested schema](#nestedatt--notification_configuration--topic_configurations--filter)) +- `event` (String) The Amazon S3 bucket event about which to send notifications. For more information, see [Supported Event Types](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. +- `filter` (Attributes) The filtering rules that determine for which objects to send notifications. For example, you can create a filter so that Amazon S3 sends notifications only when image files with a ``.jpg`` extension are added to the bucket. (see [below for nested schema](#nestedatt--notification_configuration--topic_configurations--filter)) - `topic` (String) The Amazon Resource Name (ARN) of the Amazon SNS topic to which Amazon S3 publishes a message when it detects events of the specified type. @@ -458,15 +486,15 @@ Read-Only: Read-Only: -- `rules` (Attributes List) (see [below for nested schema](#nestedatt--notification_configuration--topic_configurations--filter--s3_key--rules)) +- `rules` (Attributes List) A list of containers for the key-value pair that defines the criteria for the filter rule. (see [below for nested schema](#nestedatt--notification_configuration--topic_configurations--filter--s3_key--rules)) ### Nested Schema for `notification_configuration.topic_configurations.filter.s3_key.rules` Read-Only: -- `name` (String) -- `value` (String) +- `name` (String) The object key name prefix or suffix identifying one or more objects to which the filtering rule applies. The maximum length is 1,024 characters. Overlapping prefixes and suffixes are not supported. For more information, see [Configuring Event Notifications](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. +- `value` (String) The value that the filter searches for in object key names. @@ -478,24 +506,24 @@ Read-Only: Read-Only: -- `object_lock_enabled` (String) -- `rule` (Attributes) The Object Lock rule in place for the specified object. (see [below for nested schema](#nestedatt--object_lock_configuration--rule)) +- `object_lock_enabled` (String) Indicates whether this bucket has an Object Lock configuration enabled. Enable ``ObjectLockEnabled`` when you apply ``ObjectLockConfiguration`` to a bucket. +- `rule` (Attributes) Specifies the Object Lock rule for the specified object. Enable this rule when you apply ``ObjectLockConfiguration`` to a bucket. If Object Lock is turned on, bucket settings require both ``Mode`` and a period of either ``Days`` or ``Years``. You cannot specify ``Days`` and ``Years`` at the same time. For more information, see [ObjectLockRule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-objectlockrule.html) and [DefaultRetention](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-defaultretention.html). (see [below for nested schema](#nestedatt--object_lock_configuration--rule)) ### Nested Schema for `object_lock_configuration.rule` Read-Only: -- `default_retention` (Attributes) The default retention period that you want to apply to new objects placed in the specified bucket. (see [below for nested schema](#nestedatt--object_lock_configuration--rule--default_retention)) +- `default_retention` (Attributes) The default Object Lock retention mode and period that you want to apply to new objects placed in the specified bucket. If Object Lock is turned on, bucket settings require both ``Mode`` and a period of either ``Days`` or ``Years``. You cannot specify ``Days`` and ``Years`` at the same time. For more information about allowable values for mode and period, see [DefaultRetention](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-defaultretention.html). (see [below for nested schema](#nestedatt--object_lock_configuration--rule--default_retention)) ### Nested Schema for `object_lock_configuration.rule.default_retention` Read-Only: -- `days` (Number) -- `mode` (String) -- `years` (Number) +- `days` (Number) The number of days that you want to specify for the default retention period. If Object Lock is turned on, you must specify ``Mode`` and specify either ``Days`` or ``Years``. +- `mode` (String) The default Object Lock retention mode you want to apply to new objects placed in the specified bucket. If Object Lock is turned on, you must specify ``Mode`` and specify either ``Days`` or ``Years``. +- `years` (Number) The number of years that you want to specify for the default retention period. If Object Lock is turned on, you must specify ``Mode`` and specify either ``Days`` or ``Years``. @@ -505,7 +533,7 @@ Read-Only: Read-Only: -- `rules` (Attributes List) (see [below for nested schema](#nestedatt--ownership_controls--rules)) +- `rules` (Attributes List) Specifies the container element for Object Ownership rules. (see [below for nested schema](#nestedatt--ownership_controls--rules)) ### Nested Schema for `ownership_controls.rules` @@ -521,16 +549,18 @@ Read-Only: Read-Only: -- `block_public_acls` (Boolean) Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to TRUE causes the following behavior: -- PUT Bucket acl and PUT Object acl calls fail if the specified ACL is public. - - PUT Object calls fail if the request includes a public ACL. -Enabling this setting doesn't affect existing policies or ACLs. -- `block_public_policy` (Boolean) Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to TRUE causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. -Enabling this setting doesn't affect existing bucket policies. -- `ignore_public_acls` (Boolean) Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. -Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. -- `restrict_public_buckets` (Boolean) Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to TRUE restricts access to this bucket to only AWS services and authorized users within this account if the bucket has a public policy. -Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked. +- `block_public_acls` (Boolean) Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to ``TRUE`` causes the following behavior: + + PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public. + + PUT Object calls fail if the request includes a public ACL. + + PUT Bucket calls fail if the request includes a public ACL. + + Enabling this setting doesn't affect existing policies or ACLs. +- `block_public_policy` (Boolean) Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to ``TRUE`` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. + Enabling this setting doesn't affect existing bucket policies. +- `ignore_public_acls` (Boolean) Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to ``TRUE`` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. + Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. +- `restrict_public_buckets` (Boolean) Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to ``TRUE`` restricts access to this bucket to only AWS-service principals and authorized users within this account if the bucket has a public policy. + Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked. @@ -538,21 +568,26 @@ Enabling this setting doesn't affect previously stored bucket policies, except t Read-Only: -- `role` (String) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that Amazon S3 assumes when replicating objects. -- `rules` (Attributes List) A container for one or more replication rules. (see [below for nested schema](#nestedatt--replication_configuration--rules)) +- `role` (String) The Amazon Resource Name (ARN) of the IAMlong (IAM) role that Amazon S3 assumes when replicating objects. For more information, see [How to Set Up Replication](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-how-setup.html) in the *Amazon S3 User Guide*. +- `rules` (Attributes List) A container for one or more replication rules. A replication configuration must have at least one rule and can contain a maximum of 1,000 rules. (see [below for nested schema](#nestedatt--replication_configuration--rules)) ### Nested Schema for `replication_configuration.rules` Read-Only: -- `delete_marker_replication` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--delete_marker_replication)) -- `destination` (Attributes) Specifies which Amazon S3 bucket to store replicated objects in and their storage class. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination)) -- `filter` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--filter)) -- `id` (String) A unique identifier for the rule. -- `prefix` (String) An object key name prefix that identifies the object or objects to which the rule applies. -- `priority` (Number) -- `source_selection_criteria` (Attributes) A container that describes additional filters for identifying the source objects that you want to replicate. (see [below for nested schema](#nestedatt--replication_configuration--rules--source_selection_criteria)) +- `delete_marker_replication` (Attributes) Specifies whether Amazon S3 replicates delete markers. If you specify a ``Filter`` in your replication configuration, you must also include a ``DeleteMarkerReplication`` element. If your ``Filter`` includes a ``Tag`` element, the ``DeleteMarkerReplication`` ``Status`` must be set to Disabled, because Amazon S3 does not support replicating delete markers for tag-based rules. For an example configuration, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-config-min-rule-config). + For more information about delete marker replication, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/delete-marker-replication.html). + If you are using an earlier version of the replication configuration, Amazon S3 handles replication of delete markers differently. For more information, see [Backward Compatibility](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-backward-compat-considerations). (see [below for nested schema](#nestedatt--replication_configuration--rules--delete_marker_replication)) +- `destination` (Attributes) A container for information about the replication destination and its configurations including enabling the S3 Replication Time Control (S3 RTC). (see [below for nested schema](#nestedatt--replication_configuration--rules--destination)) +- `filter` (Attributes) A filter that identifies the subset of objects to which the replication rule applies. A ``Filter`` must specify exactly one ``Prefix``, ``TagFilter``, or an ``And`` child element. The use of the filter field indicates that this is a V2 replication configuration. This field isn't supported in a V1 replication configuration. + V1 replication configuration only supports filtering by key prefix. To filter using a V1 replication configuration, add the ``Prefix`` directly as a child element of the ``Rule`` element. (see [below for nested schema](#nestedatt--replication_configuration--rules--filter)) +- `id` (String) A unique identifier for the rule. The maximum value is 255 characters. If you don't specify a value, AWS CloudFormation generates a random ID. When using a V2 replication configuration this property is capitalized as "ID". +- `prefix` (String) An object key name prefix that identifies the object or objects to which the rule applies. The maximum prefix length is 1,024 characters. To include all objects in a bucket, specify an empty string. To filter using a V1 replication configuration, add the ``Prefix`` directly as a child element of the ``Rule`` element. + Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). +- `priority` (Number) The priority indicates which rule has precedence whenever two or more replication rules conflict. Amazon S3 will attempt to replicate objects according to all replication rules. However, if there are two or more rules with the same destination bucket, then objects will be replicated according to the rule with the highest priority. The higher the number, the higher the priority. + For more information, see [Replication](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication.html) in the *Amazon S3 User Guide*. +- `source_selection_criteria` (Attributes) A container that describes additional filters for identifying the source objects that you want to replicate. You can choose to enable or disable the replication of these objects. (see [below for nested schema](#nestedatt--replication_configuration--rules--source_selection_criteria)) - `status` (String) Specifies whether the rule is enabled. @@ -560,7 +595,7 @@ Read-Only: Read-Only: -- `status` (String) +- `status` (String) Indicates whether to replicate delete markers. Disabled by default. @@ -568,20 +603,22 @@ Read-Only: Read-Only: -- `access_control_translation` (Attributes) Specify this only in a cross-account scenario (where source and destination bucket owners are not the same), and you want to change replica ownership to the AWS account that owns the destination bucket. If this is not specified in the replication configuration, the replicas are owned by same AWS account that owns the source object. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--access_control_translation)) -- `account` (String) -- `bucket` (String) -- `encryption_configuration` (Attributes) Specifies encryption-related information for an Amazon S3 bucket that is a destination for replicated objects. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--encryption_configuration)) -- `metrics` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--metrics)) -- `replication_time` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--replication_time)) -- `storage_class` (String) The storage class to use when replicating objects, such as S3 Standard or reduced redundancy. +- `access_control_translation` (Attributes) Specify this only in a cross-account scenario (where source and destination bucket owners are not the same), and you want to change replica ownership to the AWS-account that owns the destination bucket. If this is not specified in the replication configuration, the replicas are owned by same AWS-account that owns the source object. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--access_control_translation)) +- `account` (String) Destination bucket owner account ID. In a cross-account scenario, if you direct Amazon S3 to change replica ownership to the AWS-account that owns the destination bucket by specifying the ``AccessControlTranslation`` property, this is the account ID of the destination bucket owner. For more information, see [Cross-Region Replication Additional Configuration: Change Replica Owner](https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-change-owner.html) in the *Amazon S3 User Guide*. + If you specify the ``AccessControlTranslation`` property, the ``Account`` property is required. +- `bucket` (String) The Amazon Resource Name (ARN) of the bucket where you want Amazon S3 to store the results. +- `encryption_configuration` (Attributes) Specifies encryption-related information. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--encryption_configuration)) +- `metrics` (Attributes) A container specifying replication metrics-related settings enabling replication metrics and events. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--metrics)) +- `replication_time` (Attributes) A container specifying S3 Replication Time Control (S3 RTC), including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. Must be specified together with a ``Metrics`` block. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--replication_time)) +- `storage_class` (String) The storage class to use when replicating objects, such as S3 Standard or reduced redundancy. By default, Amazon S3 uses the storage class of the source object to create the object replica. + For valid values, see the ``StorageClass`` element of the [PUT Bucket replication](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html) action in the *Amazon S3 API Reference*. ### Nested Schema for `replication_configuration.rules.destination.storage_class` Read-Only: -- `owner` (String) +- `owner` (String) Specifies the replica ownership. For default and valid values, see [PUT bucket replication](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html) in the *Amazon S3 API Reference*. @@ -589,7 +626,7 @@ Read-Only: Read-Only: -- `replica_kms_key_id` (String) Specifies the ID (Key ARN or Alias ARN) of the customer managed customer master key (CMK) stored in AWS Key Management Service (KMS) for the destination bucket. +- `replica_kms_key_id` (String) Specifies the ID (Key ARN or Alias ARN) of the customer managed AWS KMS key stored in AWS Key Management Service (KMS) for the destination bucket. Amazon S3 uses this key to encrypt replica objects. Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *Key Management Service Developer Guide*. @@ -597,15 +634,16 @@ Read-Only: Read-Only: -- `event_threshold` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--storage_class--event_threshold)) -- `status` (String) +- `event_threshold` (Attributes) A container specifying the time threshold for emitting the ``s3:Replication:OperationMissedThreshold`` event. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--storage_class--event_threshold)) +- `status` (String) Specifies whether the replication metrics are enabled. ### Nested Schema for `replication_configuration.rules.destination.storage_class.event_threshold` Read-Only: -- `minutes` (Number) +- `minutes` (Number) Contains an integer specifying time in minutes. + Valid value: 15 @@ -614,15 +652,16 @@ Read-Only: Read-Only: -- `status` (String) -- `time` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--storage_class--time)) +- `status` (String) Specifies whether the replication time is enabled. +- `time` (Attributes) A container specifying the time by which replication should be complete for all objects and operations on objects. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--storage_class--time)) ### Nested Schema for `replication_configuration.rules.destination.storage_class.time` Read-Only: -- `minutes` (Number) +- `minutes` (Number) Contains an integer specifying time in minutes. + Valid value: 15 @@ -632,25 +671,29 @@ Read-Only: Read-Only: -- `and` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--filter--and)) -- `prefix` (String) -- `tag_filter` (Attributes) Tags to use to identify a subset of objects for an Amazon S3 bucket. (see [below for nested schema](#nestedatt--replication_configuration--rules--filter--tag_filter)) +- `and` (Attributes) A container for specifying rule filters. The filters determine the subset of objects to which the rule applies. This element is required only if you specify more than one filter. For example: + + If you specify both a ``Prefix`` and a ``TagFilter``, wrap these filters in an ``And`` tag. + + If you specify a filter based on multiple tags, wrap the ``TagFilter`` elements in an ``And`` tag. (see [below for nested schema](#nestedatt--replication_configuration--rules--filter--and)) +- `prefix` (String) An object key name prefix that identifies the subset of objects to which the rule applies. + Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). +- `tag_filter` (Attributes) A container for specifying a tag key and value. + The rule applies only to objects that have the tag in their tag set. (see [below for nested schema](#nestedatt--replication_configuration--rules--filter--tag_filter)) ### Nested Schema for `replication_configuration.rules.filter.tag_filter` Read-Only: -- `prefix` (String) -- `tag_filters` (Attributes List) (see [below for nested schema](#nestedatt--replication_configuration--rules--filter--tag_filter--tag_filters)) +- `prefix` (String) An object key name prefix that identifies the subset of objects to which the rule applies. +- `tag_filters` (Attributes List) An array of tags containing key and value pairs. (see [below for nested schema](#nestedatt--replication_configuration--rules--filter--tag_filter--tag_filters)) ### Nested Schema for `replication_configuration.rules.filter.tag_filter.tag_filters` Read-Only: -- `key` (String) -- `value` (String) +- `key` (String) The tag key. +- `value` (String) The tag value. @@ -659,8 +702,8 @@ Read-Only: Read-Only: -- `key` (String) -- `value` (String) +- `key` (String) The tag key. +- `value` (String) The tag value. @@ -678,6 +721,7 @@ Read-Only: Read-Only: - `status` (String) Specifies whether Amazon S3 replicates modifications on replicas. + *Allowed values*: ``Enabled`` | ``Disabled`` @@ -685,7 +729,7 @@ Read-Only: Read-Only: -- `status` (String) Specifies whether Amazon S3 replicates objects created with server-side encryption using a customer master key (CMK) stored in AWS Key Management Service. +- `status` (String) Specifies whether Amazon S3 replicates objects created with server-side encryption using an AWS KMS key stored in AWS Key Management Service. @@ -696,8 +740,8 @@ Read-Only: Read-Only: -- `key` (String) -- `value` (String) +- `key` (String) Name of the object key. +- `value` (String) Value of the tag. @@ -715,8 +759,9 @@ Read-Only: - `error_document` (String) The name of the error document for the website. - `index_document` (String) The name of the index document for the website. -- `redirect_all_requests_to` (Attributes) Specifies the redirect behavior of all requests to a website endpoint of an Amazon S3 bucket. (see [below for nested schema](#nestedatt--website_configuration--redirect_all_requests_to)) -- `routing_rules` (Attributes List) (see [below for nested schema](#nestedatt--website_configuration--routing_rules)) +- `redirect_all_requests_to` (Attributes) The redirect behavior for every request to this bucket's website endpoint. + If you specify this property, you can't specify any other property. (see [below for nested schema](#nestedatt--website_configuration--redirect_all_requests_to)) +- `routing_rules` (Attributes List) Rules that define when a redirect is applied and the redirect behavior. (see [below for nested schema](#nestedatt--website_configuration--routing_rules)) ### Nested Schema for `website_configuration.redirect_all_requests_to` @@ -733,7 +778,7 @@ Read-Only: Read-Only: - `redirect_rule` (Attributes) Container for redirect information. You can redirect requests to another host, to another page, or with another protocol. In the event of an error, you can specify a different error code to return. (see [below for nested schema](#nestedatt--website_configuration--routing_rules--redirect_rule)) -- `routing_rule_condition` (Attributes) A container for describing a condition that must be met for the specified redirect to apply.You must specify at least one of HttpErrorCodeReturnedEquals and KeyPrefixEquals (see [below for nested schema](#nestedatt--website_configuration--routing_rules--routing_rule_condition)) +- `routing_rule_condition` (Attributes) A container for describing a condition that must be met for the specified redirect to apply. For example, 1. If request is for pages in the ``/docs`` folder, redirect to the ``/documents`` folder. 2. If request results in HTTP error 4xx, redirect request to another host where you might process the error. (see [below for nested schema](#nestedatt--website_configuration--routing_rules--routing_rule_condition)) ### Nested Schema for `website_configuration.routing_rules.redirect_rule` @@ -743,8 +788,10 @@ Read-Only: - `host_name` (String) The host name to use in the redirect request. - `http_redirect_code` (String) The HTTP redirect code to use on the response. Not required if one of the siblings is present. - `protocol` (String) Protocol to use when redirecting requests. The default is the protocol that is used in the original request. -- `replace_key_prefix_with` (String) The object key prefix to use in the redirect request. -- `replace_key_with` (String) The specific object key to use in the redirect request.d +- `replace_key_prefix_with` (String) The object key prefix to use in the redirect request. For example, to redirect requests for all pages with prefix ``docs/`` (objects in the ``docs/`` folder) to ``documents/``, you can set a condition block with ``KeyPrefixEquals`` set to ``docs/`` and in the Redirect set ``ReplaceKeyPrefixWith`` to ``/documents``. Not required if one of the siblings is present. Can be present only if ``ReplaceKeyWith`` is not provided. + Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). +- `replace_key_with` (String) The specific object key to use in the redirect request. For example, redirect request to ``error.html``. Not required if one of the siblings is present. Can be present only if ``ReplaceKeyPrefixWith`` is not provided. + Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). @@ -752,5 +799,7 @@ Read-Only: Read-Only: -- `http_error_code_returned_equals` (String) The HTTP error code when the redirect is applied. -- `key_prefix_equals` (String) The object key name prefix when the redirect is applied. +- `http_error_code_returned_equals` (String) The HTTP error code when the redirect is applied. In the event of an error, if the error code equals this value, then the specified redirect is applied. + Required when parent element ``Condition`` is specified and sibling ``KeyPrefixEquals`` is not specified. If both are specified, then both must be true for the redirect to be applied. +- `key_prefix_equals` (String) The object key name prefix when the redirect is applied. For example, to redirect requests for ``ExamplePage.html``, the key prefix will be ``ExamplePage.html``. To redirect request for all pages with the prefix ``docs/``, the key prefix will be ``/docs``, which identifies all objects in the docs/ folder. + Required when the parent element ``Condition`` is specified and sibling ``HttpErrorCodeReturnedEquals`` is not specified. If both conditions are specified, both must be true for the redirect to be applied. diff --git a/docs/data-sources/s3_bucket_policy.md b/docs/data-sources/s3_bucket_policy.md index 51b5b0cd7d..8b4b9076c8 100644 --- a/docs/data-sources/s3_bucket_policy.md +++ b/docs/data-sources/s3_bucket_policy.md @@ -22,4 +22,4 @@ Data Source schema for AWS::S3::BucketPolicy ### Read-Only - `bucket` (String) The name of the Amazon S3 bucket to which the policy applies. -- `policy_document` (String) A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. +- `policy_document` (String) A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy [PolicyDocument](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument) resource description in this guide and [Access Policy Language Overview](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html) in the *Amazon S3 User Guide*. diff --git a/docs/data-sources/sagemaker_feature_group.md b/docs/data-sources/sagemaker_feature_group.md index 058a8d6c6b..f9e2c13c38 100644 --- a/docs/data-sources/sagemaker_feature_group.md +++ b/docs/data-sources/sagemaker_feature_group.md @@ -81,6 +81,7 @@ Read-Only: - `enable_online_store` (Boolean) - `security_config` (Attributes) (see [below for nested schema](#nestedatt--online_store_config--security_config)) - `storage_type` (String) +- `ttl_duration` (Attributes) TTL configuration of the feature group (see [below for nested schema](#nestedatt--online_store_config--ttl_duration)) ### Nested Schema for `online_store_config.security_config` @@ -90,6 +91,15 @@ Read-Only: - `kms_key_id` (String) + +### Nested Schema for `online_store_config.ttl_duration` + +Read-Only: + +- `unit` (String) Unit of ttl configuration +- `value` (Number) Value of ttl configuration + + ### Nested Schema for `tags` diff --git a/docs/data-sources/secretsmanager_secret.md b/docs/data-sources/secretsmanager_secret.md index 0d26eb5292..47434071b1 100644 --- a/docs/data-sources/secretsmanager_secret.md +++ b/docs/data-sources/secretsmanager_secret.md @@ -21,29 +21,39 @@ Data Source schema for AWS::SecretsManager::Secret ### Read-Only -- `description` (String) (Optional) Specifies a user-provided description of the secret. -- `generate_secret_string` (Attributes) (Optional) Specifies text data that you want to encrypt and store in this new version of the secret. (see [below for nested schema](#nestedatt--generate_secret_string)) -- `kms_key_id` (String) (Optional) Specifies the ARN, Key ID, or alias of the AWS KMS customer master key (CMK) used to encrypt the SecretString. -- `name` (String) The friendly name of the secret. You can use forward slashes in the name to represent a path hierarchy. -- `replica_regions` (Attributes List) (Optional) A list of ReplicaRegion objects. The ReplicaRegion type consists of a Region (required) and the KmsKeyId which can be an ARN, Key ID, or Alias. (see [below for nested schema](#nestedatt--replica_regions)) -- `secret_string` (String) (Optional) Specifies text data that you want to encrypt and store in this new version of the secret. -- `tags` (Attributes List) The list of user-defined tags associated with the secret. Use tags to manage your AWS resources. For additional information about tags, see TagResource. (see [below for nested schema](#nestedatt--tags)) +- `description` (String) The description of the secret. +- `generate_secret_string` (Attributes) A structure that specifies how to generate a password to encrypt and store in the secret. To include a specific string in the secret, use ``SecretString`` instead. If you omit both ``GenerateSecretString`` and ``SecretString``, you create an empty secret. When you make a change to this property, a new secret version is created. + We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support. (see [below for nested schema](#nestedatt--generate_secret_string)) +- `kms_key_id` (String) The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. An alias is always prefixed by ``alias/``, for example ``alias/aws/secretsmanager``. For more information, see [About aliases](https://docs.aws.amazon.com/kms/latest/developerguide/alias-about.html). + To use a KMS key in a different account, use the key ARN or the alias ARN. + If you don't specify this value, then Secrets Manager uses the key ``aws/secretsmanager``. If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. + If the secret is in a different AWS account from the credentials calling the API, then you can't use ``aws/secretsmanager`` to encrypt the secret, and you must create and use a customer managed KMS key. +- `name` (String) The name of the new secret. + The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@- + Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN. +- `replica_regions` (Attributes List) A custom type that specifies a ``Region`` and the ``KmsKeyId`` for a replica secret. (see [below for nested schema](#nestedatt--replica_regions)) +- `secret_string` (String) The text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use ``GenerateSecretString`` instead. If you omit both ``GenerateSecretString`` and ``SecretString``, you create an empty secret. When you make a change to this property, a new secret version is created. +- `tags` (Attributes List) A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example: + ``[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]`` + Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc". + Stack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret. + If you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns an ``Access Denied`` error. For more information, see [Control access to secrets using tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac) and [Limit access to identities with tags that match secrets' tags](https://docs.aws.amazo (see [below for nested schema](#nestedatt--tags)) ### Nested Schema for `generate_secret_string` Read-Only: -- `exclude_characters` (String) A string that excludes characters in the generated password. By default, all characters from the included sets can be used. The string can be a minimum length of 0 characters and a maximum length of 7168 characters. -- `exclude_lowercase` (Boolean) Specifies the generated password should not include lowercase letters. By default, ecrets Manager disables this parameter, and the generated password can include lowercase False, and the generated password can include lowercase letters. -- `exclude_numbers` (Boolean) Specifies that the generated password should exclude digits. By default, Secrets Manager does not enable the parameter, False, and the generated password can include digits. -- `exclude_punctuation` (Boolean) Specifies that the generated password should not include punctuation characters. The default if you do not include this switch parameter is that punctuation characters can be included. -- `exclude_uppercase` (Boolean) Specifies that the generated password should not include uppercase letters. The default behavior is False, and the generated password can include uppercase letters. -- `generate_string_key` (String) The JSON key name used to add the generated password to the JSON structure specified by the SecretStringTemplate parameter. If you specify this parameter, then you must also specify SecretStringTemplate. -- `include_space` (Boolean) Specifies that the generated password can include the space character. By default, Secrets Manager disables this parameter, and the generated password doesn't include space -- `password_length` (Number) The desired length of the generated password. The default value if you do not include this parameter is 32 characters. -- `require_each_included_type` (Boolean) Specifies whether the generated password must include at least one of every allowed character type. By default, Secrets Manager enables this parameter, and the generated password includes at least one of every character type. -- `secret_string_template` (String) A properly structured JSON string that the generated password can be added to. If you specify this parameter, then you must also specify GenerateStringKey. +- `exclude_characters` (String) A string of the characters that you don't want in the password. +- `exclude_lowercase` (Boolean) Specifies whether to exclude lowercase letters from the password. If you don't include this switch, the password can contain lowercase letters. +- `exclude_numbers` (Boolean) Specifies whether to exclude numbers from the password. If you don't include this switch, the password can contain numbers. +- `exclude_punctuation` (Boolean) Specifies whether to exclude the following punctuation characters from the password: ``! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~``. If you don't include this switch, the password can contain punctuation. +- `exclude_uppercase` (Boolean) Specifies whether to exclude uppercase letters from the password. If you don't include this switch, the password can contain uppercase letters. +- `generate_string_key` (String) The JSON key name for the key/value pair, where the value is the generated password. This pair is added to the JSON structure specified by the ``SecretStringTemplate`` parameter. If you specify this parameter, then you must also specify ``SecretStringTemplate``. +- `include_space` (Boolean) Specifies whether to include the space character. If you include this switch, the password can contain space characters. +- `password_length` (Number) The length of the password. If you don't include this parameter, the default length is 32 characters. +- `require_each_included_type` (Boolean) Specifies whether to include at least one upper and lowercase letter, one number, and one punctuation. If you don't include this switch, the password contains at least one of every character type. +- `secret_string_template` (String) A template that the generated string must match. When you make a change to this property, a new secret version is created. @@ -51,8 +61,8 @@ Read-Only: Read-Only: -- `kms_key_id` (String) The ARN, key ID, or alias of the KMS key to encrypt the secret. If you don't include this field, Secrets Manager uses aws/secretsmanager. -- `region` (String) (Optional) A string that represents a Region, for example "us-east-1". +- `kms_key_id` (String) The ARN, key ID, or alias of the KMS key to encrypt the secret. If you don't include this field, Secrets Manager uses ``aws/secretsmanager``. +- `region` (String) A string that represents a ``Region``, for example "us-east-1". @@ -60,5 +70,5 @@ Read-Only: Read-Only: -- `key` (String) The value for the tag. You can specify a value that's 1 to 256 characters in length. -- `value` (String) The key name of the tag. You can specify a value that's 1 to 128 Unicode characters in length and can't be prefixed with aws. +- `key` (String) The key identifier, or name, of the tag. +- `value` (String) The string value associated with the key of the tag. diff --git a/docs/data-sources/securityhub_standard.md b/docs/data-sources/securityhub_standard.md index b50bba56db..632c708bc8 100644 --- a/docs/data-sources/securityhub_standard.md +++ b/docs/data-sources/securityhub_standard.md @@ -21,14 +21,15 @@ Data Source schema for AWS::SecurityHub::Standard ### Read-Only -- `disabled_standards_controls` (Attributes List) StandardsControls to disable from this Standard. (see [below for nested schema](#nestedatt--disabled_standards_controls)) -- `standards_arn` (String) The ARN of the Standard being enabled -- `standards_subscription_arn` (String) The ARN of the StandardsSubscription for the account ID, region, and Standard. +- `disabled_standards_controls` (Attributes List) Specifies which controls are to be disabled in a standard. + *Maximum*: ``100`` (see [below for nested schema](#nestedatt--disabled_standards_controls)) +- `standards_arn` (String) The ARN of the standard that you want to enable. To view a list of available ASH standards and their ARNs, use the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation. +- `standards_subscription_arn` (String) ### Nested Schema for `disabled_standards_controls` Read-Only: -- `reason` (String) the reason the standard control is disabled -- `standards_control_arn` (String) the Arn for the standard control. +- `reason` (String) A user-defined reason for changing a control's enablement status in a specified standard. If you are disabling a control, then this property is required. +- `standards_control_arn` (String) The Amazon Resource Name (ARN) of the control. diff --git a/docs/data-sources/wafv2_logging_configuration.md b/docs/data-sources/wafv2_logging_configuration.md index 55226238e1..1ec1a33d98 100644 --- a/docs/data-sources/wafv2_logging_configuration.md +++ b/docs/data-sources/wafv2_logging_configuration.md @@ -76,31 +76,11 @@ Read-Only: Read-Only: -- `json_body` (Attributes) Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. (see [below for nested schema](#nestedatt--redacted_fields--json_body)) - `method` (String) Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - `query_string` (String) Inspect the query string. This is the part of a URL that appears after a ? character, if any. - `single_header` (Attributes) Inspect a single header. Provide the name of the header to inspect, for example, User-Agent or Referer. This setting isn't case sensitive. (see [below for nested schema](#nestedatt--redacted_fields--single_header)) - `uri_path` (String) Inspect the request URI path. This is the part of a web request that identifies a resource, for example, /images/daily-ad.jpg. - -### Nested Schema for `redacted_fields.json_body` - -Read-Only: - -- `invalid_fallback_behavior` (String) What AWS WAF should do if it fails to completely parse the JSON body. -- `match_pattern` (Attributes) The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria. (see [below for nested schema](#nestedatt--redacted_fields--json_body--match_pattern)) -- `match_scope` (String) The parts of the JSON to match against using the MatchPattern. If you specify All, AWS WAF matches against keys and values. - - -### Nested Schema for `redacted_fields.json_body.match_pattern` - -Read-Only: - -- `all` (String) Match all of the elements. See also MatchScope in JsonBody. You must specify either this setting or the IncludedPaths setting, but not both. -- `included_paths` (List of String) Match only the specified include paths. See also MatchScope in JsonBody. - - - ### Nested Schema for `redacted_fields.single_header` diff --git a/docs/resources/acmpca_certificate.md b/docs/resources/acmpca_certificate.md index f4f1732dbc..f8840282c1 100644 --- a/docs/resources/acmpca_certificate.md +++ b/docs/resources/acmpca_certificate.md @@ -3,12 +3,12 @@ page_title: "awscc_acmpca_certificate Resource - terraform-provider-awscc" subcategory: "" description: |- - A certificate issued via a private certificate authority + The AWS::ACMPCA::Certificate resource is used to issue a certificate using your private certificate authority. For more information, see the IssueCertificate https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html action. --- # awscc_acmpca_certificate (Resource) -A certificate issued via a private certificate authority +The ``AWS::ACMPCA::Certificate`` resource is used to issue a certificate using your private certificate authority. For more information, see the [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) action. @@ -17,21 +17,26 @@ A certificate issued via a private certificate authority ### Required -- `certificate_authority_arn` (String) The Amazon Resource Name (ARN) for the private CA to issue the certificate. -- `certificate_signing_request` (String) The certificate signing request (CSR) for the Certificate. -- `signing_algorithm` (String) The name of the algorithm that will be used to sign the Certificate. -- `validity` (Attributes) The time before which the Certificate will be valid. (see [below for nested schema](#nestedatt--validity)) +- `certificate_authority_arn` (String) The Amazon Resource Name (ARN) for the private CA issues the certificate. +- `certificate_signing_request` (String) The certificate signing request (CSR) for the certificate. +- `signing_algorithm` (String) The name of the algorithm that will be used to sign the certificate to be issued. + This parameter should not be confused with the ``SigningAlgorithm`` parameter used to sign a CSR in the ``CreateCertificateAuthority`` action. + The specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. +- `validity` (Attributes) The period of time during which the certificate will be valid. (see [below for nested schema](#nestedatt--validity)) ### Optional -- `api_passthrough` (Attributes) These are fields to be overridden in a certificate at the time of issuance. These requires an API_Passthrough template be used or they will be ignored. (see [below for nested schema](#nestedatt--api_passthrough)) -- `template_arn` (String) Specifies a custom configuration template to use when issuing a certificate. If this parameter is not provided, ACM Private CA defaults to the EndEntityCertificate/V1 template. -- `validity_not_before` (Attributes) The time after which the Certificate will be valid. (see [below for nested schema](#nestedatt--validity_not_before)) +- `api_passthrough` (Attributes) Specifies X.509 certificate information to be included in the issued certificate. An ``APIPassthrough`` or ``APICSRPassthrough`` template variant must be selected, or else this parameter is ignored. (see [below for nested schema](#nestedatt--api_passthrough)) +- `template_arn` (String) Specifies a custom configuration template to use when issuing a certificate. If this parameter is not provided, PCAshort defaults to the ``EndEntityCertificate/V1`` template. For more information about PCAshort templates, see [Using Templates](https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html). +- `validity_not_before` (Attributes) Information describing the start of the validity period of the certificate. This parameter sets the ?Not Before" date for the certificate. + By default, when issuing a certificate, PCAshort sets the "Not Before" date to the issuance time minus 60 minutes. This compensates for clock inconsistencies across computer systems. The ``ValidityNotBefore`` parameter can be used to customize the ?Not Before? value. + Unlike the ``Validity`` parameter, the ``ValidityNotBefore`` parameter is optional. + The ``ValidityNotBefore`` value is expressed as an explicit date and time, using the ``Validity`` type value ``ABSOLUTE``. (see [below for nested schema](#nestedatt--validity_not_before)) ### Read-Only -- `arn` (String) The ARN of the issued certificate. -- `certificate` (String) The issued certificate in base 64 PEM-encoded format. +- `arn` (String) +- `certificate` (String) - `id` (String) Uniquely identifies the resource. @@ -39,8 +44,8 @@ A certificate issued via a private certificate authority Required: -- `type` (String) -- `value` (Number) +- `type` (String) Specifies whether the ``Value`` parameter represents days, months, or years. +- `value` (Number) A long integer interpreted according to the value of ``Type``, below. @@ -48,45 +53,46 @@ Required: Optional: -- `extensions` (Attributes) Structure that contains X.500 extensions for a Certificate. (see [below for nested schema](#nestedatt--api_passthrough--extensions)) -- `subject` (Attributes) Structure that contains X.500 distinguished name information. (see [below for nested schema](#nestedatt--api_passthrough--subject)) +- `extensions` (Attributes) Specifies X.509 extension information for a certificate. (see [below for nested schema](#nestedatt--api_passthrough--extensions)) +- `subject` (Attributes) Contains information about the certificate subject. The Subject field in the certificate identifies the entity that owns or controls the public key in the certificate. The entity can be a user, computer, device, or service. The Subject must contain an X.500 distinguished name (DN). A DN is a sequence of relative distinguished names (RDNs). The RDNs are separated by commas in the certificate. (see [below for nested schema](#nestedatt--api_passthrough--subject)) ### Nested Schema for `api_passthrough.extensions` Optional: -- `certificate_policies` (Attributes List) (see [below for nested schema](#nestedatt--api_passthrough--extensions--certificate_policies)) -- `custom_extensions` (Attributes List) Array of X.509 extensions for a certificate. (see [below for nested schema](#nestedatt--api_passthrough--extensions--custom_extensions)) -- `extended_key_usage` (Attributes List) (see [below for nested schema](#nestedatt--api_passthrough--extensions--extended_key_usage)) -- `key_usage` (Attributes) Structure that contains X.509 KeyUsage information. (see [below for nested schema](#nestedatt--api_passthrough--extensions--key_usage)) -- `subject_alternative_names` (Attributes List) (see [below for nested schema](#nestedatt--api_passthrough--extensions--subject_alternative_names)) +- `certificate_policies` (Attributes List) Contains a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers. For more information, see NIST's definition of [Object Identifier (OID)](https://docs.aws.amazon.com/https://csrc.nist.gov/glossary/term/Object_Identifier). + In an end-entity certificate, these terms indicate the policy under which the certificate was issued and the purposes for which it may be used. In a CA certificate, these terms limit the set of policies for certification paths that include this certificate. (see [below for nested schema](#nestedatt--api_passthrough--extensions--certificate_policies)) +- `custom_extensions` (Attributes List) Contains a sequence of one or more X.509 extensions, each of which consists of an object identifier (OID), a base64-encoded value, and the critical flag. For more information, see the [Global OID reference database.](https://docs.aws.amazon.com/https://oidref.com/2.5.29) (see [below for nested schema](#nestedatt--api_passthrough--extensions--custom_extensions)) +- `extended_key_usage` (Attributes List) Specifies additional purposes for which the certified public key may be used other than basic purposes indicated in the ``KeyUsage`` extension. (see [below for nested schema](#nestedatt--api_passthrough--extensions--extended_key_usage)) +- `key_usage` (Attributes) Defines one or more purposes for which the key contained in the certificate can be used. Default value for each option is false. (see [below for nested schema](#nestedatt--api_passthrough--extensions--key_usage)) +- `subject_alternative_names` (Attributes List) The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. (see [below for nested schema](#nestedatt--api_passthrough--extensions--subject_alternative_names)) ### Nested Schema for `api_passthrough.extensions.certificate_policies` Required: -- `cert_policy_id` (String) String that contains X.509 ObjectIdentifier information. +- `cert_policy_id` (String) Specifies the object identifier (OID) of the certificate policy under which the certificate was issued. For more information, see NIST's definition of [Object Identifier (OID)](https://docs.aws.amazon.com/https://csrc.nist.gov/glossary/term/Object_Identifier). Optional: -- `policy_qualifiers` (Attributes List) (see [below for nested schema](#nestedatt--api_passthrough--extensions--certificate_policies--policy_qualifiers)) +- `policy_qualifiers` (Attributes List) Modifies the given ``CertPolicyId`` with a qualifier. AWS Private CA supports the certification practice statement (CPS) qualifier. (see [below for nested schema](#nestedatt--api_passthrough--extensions--certificate_policies--policy_qualifiers)) ### Nested Schema for `api_passthrough.extensions.certificate_policies.policy_qualifiers` Required: -- `policy_qualifier_id` (String) -- `qualifier` (Attributes) Structure that contains a X.509 policy qualifier. (see [below for nested schema](#nestedatt--api_passthrough--extensions--certificate_policies--policy_qualifiers--qualifier)) +- `policy_qualifier_id` (String) Identifies the qualifier modifying a ``CertPolicyId``. +- `qualifier` (Attributes) Defines the qualifier type. AWS Private CA supports the use of a URI for a CPS qualifier in this field. (see [below for nested schema](#nestedatt--api_passthrough--extensions--certificate_policies--policy_qualifiers--qualifier)) ### Nested Schema for `api_passthrough.extensions.certificate_policies.policy_qualifiers.qualifier` Required: -- `cps_uri` (String) +- `cps_uri` (String) Contains a pointer to a certification practice statement (CPS) published by the CA. @@ -96,12 +102,12 @@ Required: Required: -- `object_identifier` (String) String that contains X.509 ObjectIdentifier information. -- `value` (String) +- `object_identifier` (String) Specifies the object identifier (OID) of the X.509 extension. For more information, see the [Global OID reference database.](https://docs.aws.amazon.com/https://oidref.com/2.5.29) +- `value` (String) Specifies the base64-encoded value of the X.509 extension. Optional: -- `critical` (Boolean) +- `critical` (Boolean) Specifies the critical flag of the X.509 extension. @@ -109,8 +115,8 @@ Optional: Optional: -- `extended_key_usage_object_identifier` (String) String that contains X.509 ObjectIdentifier information. -- `extended_key_usage_type` (String) +- `extended_key_usage_object_identifier` (String) Specifies a custom ``ExtendedKeyUsage`` with an object identifier (OID). +- `extended_key_usage_type` (String) Specifies a standard ``ExtendedKeyUsage`` as defined as in [RFC 5280](https://docs.aws.amazon.com/https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12). @@ -118,15 +124,15 @@ Optional: Optional: -- `crl_sign` (Boolean) -- `data_encipherment` (Boolean) -- `decipher_only` (Boolean) -- `digital_signature` (Boolean) -- `encipher_only` (Boolean) -- `key_agreement` (Boolean) -- `key_cert_sign` (Boolean) -- `key_encipherment` (Boolean) -- `non_repudiation` (Boolean) +- `crl_sign` (Boolean) Key can be used to sign CRLs. +- `data_encipherment` (Boolean) Key can be used to decipher data. +- `decipher_only` (Boolean) Key can be used only to decipher data. +- `digital_signature` (Boolean) Key can be used for digital signing. +- `encipher_only` (Boolean) Key can be used only to encipher data. +- `key_agreement` (Boolean) Key can be used in a key-agreement protocol. +- `key_cert_sign` (Boolean) Key can be used to sign certificates. +- `key_encipherment` (Boolean) Key can be used to encipher data. +- `non_repudiation` (Boolean) Key can be used for non-repudiation. @@ -134,43 +140,45 @@ Optional: Optional: -- `directory_name` (Attributes) Structure that contains X.500 distinguished name information. (see [below for nested schema](#nestedatt--api_passthrough--extensions--subject_alternative_names--directory_name)) -- `dns_name` (String) String that contains X.509 DnsName information. -- `edi_party_name` (Attributes) Structure that contains X.509 EdiPartyName information. (see [below for nested schema](#nestedatt--api_passthrough--extensions--subject_alternative_names--edi_party_name)) -- `ip_address` (String) String that contains X.509 IpAddress information. -- `other_name` (Attributes) Structure that contains X.509 OtherName information. (see [below for nested schema](#nestedatt--api_passthrough--extensions--subject_alternative_names--other_name)) -- `registered_id` (String) String that contains X.509 ObjectIdentifier information. -- `rfc_822_name` (String) String that contains X.509 Rfc822Name information. -- `uniform_resource_identifier` (String) String that contains X.509 UniformResourceIdentifier information. +- `directory_name` (Attributes) Contains information about the certificate subject. The certificate can be one issued by your private certificate authority (CA) or it can be your private CA certificate. The Subject field in the certificate identifies the entity that owns or controls the public key in the certificate. The entity can be a user, computer, device, or service. The Subject must contain an X.500 distinguished name (DN). A DN is a sequence of relative distinguished names (RDNs). The RDNs are separated by commas in the certificate. The DN must be unique for each entity, but your private CA can issue more than one certificate with the same DN to the same entity. (see [below for nested schema](#nestedatt--api_passthrough--extensions--subject_alternative_names--directory_name)) +- `dns_name` (String) Represents ``GeneralName`` as a DNS name. +- `edi_party_name` (Attributes) Represents ``GeneralName`` as an ``EdiPartyName`` object. (see [below for nested schema](#nestedatt--api_passthrough--extensions--subject_alternative_names--edi_party_name)) +- `ip_address` (String) Represents ``GeneralName`` as an IPv4 or IPv6 address. +- `other_name` (Attributes) Represents ``GeneralName`` using an ``OtherName`` object. (see [below for nested schema](#nestedatt--api_passthrough--extensions--subject_alternative_names--other_name)) +- `registered_id` (String) Represents ``GeneralName`` as an object identifier (OID). +- `rfc_822_name` (String) Represents ``GeneralName`` as an [RFC 822](https://docs.aws.amazon.com/https://datatracker.ietf.org/doc/html/rfc822) email address. +- `uniform_resource_identifier` (String) Represents ``GeneralName`` as a URI. ### Nested Schema for `api_passthrough.extensions.subject_alternative_names.uniform_resource_identifier` Optional: -- `common_name` (String) -- `country` (String) -- `custom_attributes` (Attributes List) Array of X.500 attribute type and value. CustomAttributes cannot be used along with pre-defined attributes. (see [below for nested schema](#nestedatt--api_passthrough--extensions--subject_alternative_names--uniform_resource_identifier--custom_attributes)) -- `distinguished_name_qualifier` (String) -- `generation_qualifier` (String) -- `given_name` (String) -- `initials` (String) -- `locality` (String) -- `organization` (String) -- `organizational_unit` (String) -- `pseudonym` (String) -- `serial_number` (String) -- `state` (String) -- `surname` (String) -- `title` (String) +- `common_name` (String) For CA and end-entity certificates in a private PKI, the common name (CN) can be any string within the length limit. + Note: In publicly trusted certificates, the common name must be a fully qualified domain name (FQDN) associated with the certificate subject. +- `country` (String) Two-digit code that specifies the country in which the certificate subject located. +- `custom_attributes` (Attributes List) Contains a sequence of one or more X.500 relative distinguished names (RDNs), each of which consists of an object identifier (OID) and a value. For more information, see NIST?s definition of [Object Identifier (OID)](https://docs.aws.amazon.com/https://csrc.nist.gov/glossary/term/Object_Identifier). + Custom attributes cannot be used in combination with standard attributes. (see [below for nested schema](#nestedatt--api_passthrough--extensions--subject_alternative_names--uniform_resource_identifier--custom_attributes)) +- `distinguished_name_qualifier` (String) Disambiguating information for the certificate subject. +- `generation_qualifier` (String) Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. +- `given_name` (String) First name. +- `initials` (String) Concatenation that typically contains the first letter of the *GivenName*, the first letter of the middle name if one exists, and the first letter of the *Surname*. +- `locality` (String) The locality (such as a city or town) in which the certificate subject is located. +- `organization` (String) Legal name of the organization with which the certificate subject is affiliated. +- `organizational_unit` (String) A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. +- `pseudonym` (String) Typically a shortened version of a longer *GivenName*. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. +- `serial_number` (String) The certificate serial number. +- `state` (String) State in which the subject of the certificate is located. +- `surname` (String) Family name. In the US and the UK, for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. +- `title` (String) A title such as Mr. or Ms., which is pre-pended to the name to refer formally to the certificate subject. ### Nested Schema for `api_passthrough.extensions.subject_alternative_names.uniform_resource_identifier.custom_attributes` Required: -- `object_identifier` (String) String that contains X.509 ObjectIdentifier information. -- `value` (String) +- `object_identifier` (String) Specifies the object identifier (OID) of the attribute type of the relative distinguished name (RDN). +- `value` (String) Specifies the attribute value of relative distinguished name (RDN). @@ -179,8 +187,8 @@ Required: Required: -- `name_assigner` (String) -- `party_name` (String) +- `name_assigner` (String) Specifies the name assigner. +- `party_name` (String) Specifies the party name. @@ -188,8 +196,8 @@ Required: Required: -- `type_id` (String) String that contains X.509 ObjectIdentifier information. -- `value` (String) +- `type_id` (String) Specifies an OID. +- `value` (String) Specifies an OID value. @@ -199,29 +207,31 @@ Required: Optional: -- `common_name` (String) -- `country` (String) -- `custom_attributes` (Attributes List) Array of X.500 attribute type and value. CustomAttributes cannot be used along with pre-defined attributes. (see [below for nested schema](#nestedatt--api_passthrough--subject--custom_attributes)) -- `distinguished_name_qualifier` (String) -- `generation_qualifier` (String) -- `given_name` (String) -- `initials` (String) -- `locality` (String) -- `organization` (String) -- `organizational_unit` (String) -- `pseudonym` (String) -- `serial_number` (String) -- `state` (String) -- `surname` (String) -- `title` (String) +- `common_name` (String) For CA and end-entity certificates in a private PKI, the common name (CN) can be any string within the length limit. + Note: In publicly trusted certificates, the common name must be a fully qualified domain name (FQDN) associated with the certificate subject. +- `country` (String) Two-digit code that specifies the country in which the certificate subject located. +- `custom_attributes` (Attributes List) Contains a sequence of one or more X.500 relative distinguished names (RDNs), each of which consists of an object identifier (OID) and a value. For more information, see NIST?s definition of [Object Identifier (OID)](https://docs.aws.amazon.com/https://csrc.nist.gov/glossary/term/Object_Identifier). + Custom attributes cannot be used in combination with standard attributes. (see [below for nested schema](#nestedatt--api_passthrough--subject--custom_attributes)) +- `distinguished_name_qualifier` (String) Disambiguating information for the certificate subject. +- `generation_qualifier` (String) Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. +- `given_name` (String) First name. +- `initials` (String) Concatenation that typically contains the first letter of the *GivenName*, the first letter of the middle name if one exists, and the first letter of the *Surname*. +- `locality` (String) The locality (such as a city or town) in which the certificate subject is located. +- `organization` (String) Legal name of the organization with which the certificate subject is affiliated. +- `organizational_unit` (String) A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. +- `pseudonym` (String) Typically a shortened version of a longer *GivenName*. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. +- `serial_number` (String) The certificate serial number. +- `state` (String) State in which the subject of the certificate is located. +- `surname` (String) Family name. In the US and the UK, for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. +- `title` (String) A title such as Mr. or Ms., which is pre-pended to the name to refer formally to the certificate subject. ### Nested Schema for `api_passthrough.subject.custom_attributes` Required: -- `object_identifier` (String) String that contains X.509 ObjectIdentifier information. -- `value` (String) +- `object_identifier` (String) Specifies the object identifier (OID) of the attribute type of the relative distinguished name (RDN). +- `value` (String) Specifies the attribute value of relative distinguished name (RDN). @@ -231,8 +241,8 @@ Required: Required: -- `type` (String) -- `value` (Number) +- `type` (String) Specifies whether the ``Value`` parameter represents days, months, or years. +- `value` (Number) A long integer interpreted according to the value of ``Type``, below. ## Import diff --git a/docs/resources/apigateway_authorizer.md b/docs/resources/apigateway_authorizer.md index 50b93764c9..d6a617356c 100644 --- a/docs/resources/apigateway_authorizer.md +++ b/docs/resources/apigateway_authorizer.md @@ -27,7 +27,7 @@ The ``AWS::ApiGateway::Authorizer`` resource creates an authorization layer that - `authorizer_credentials` (String) Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer. To specify an IAM role for API Gateway to assume, use the role's Amazon Resource Name (ARN). To use resource-based permissions on the Lambda function, specify null. - `authorizer_result_ttl_in_seconds` (Number) The TTL in seconds of cached authorizer results. If it equals 0, authorization caching is disabled. If it is greater than 0, API Gateway will cache authorizer responses. If this field is not set, the default value is 300. The maximum value is 3600, or 1 hour. - `authorizer_uri` (String) Specifies the authorizer's Uniform Resource Identifier (URI). For ``TOKEN`` or ``REQUEST`` authorizers, this must be a well-formed Lambda function URI, for example, ``arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:{account_id}:function:{lambda_function_name}/invocations``. In general, the URI has this form ``arn:aws:apigateway:{region}:lambda:path/{service_api}``, where ``{region}`` is the same as the region hosting the Lambda function, ``path`` indicates that the remaining substring in the URI should be treated as the path to the resource, including the initial ``/``. For Lambda functions, this is usually of the form ``/2015-03-31/functions/[FunctionARN]/invocations``. -- `identity_source` (String) The identity source for which authorization is requested. For a ``TOKEN`` or ``COGNITO_USER_POOLS`` authorizer, this is required and specifies the request header mapping expression for the custom header holding the authorization token submitted by the client. For example, if the token header name is ``Auth``, the header mapping expression is ``method.request.header.Auth``. For the ``REQUEST`` authorizer, this is required when authorization caching is enabled. The value is a comma-separated string of one or more mapping expressions of the specified request parameters. For example, if an ``Auth`` header, a ``Name`` query string parameter are defined as identity sources, this value is ``method.request.header.Auth, method.request.querystring.Name``. These parameters will be used to derive the authorization caching key and to perform runtime validation of the ``REQUEST`` authorizer by verifying all of the identity-related request parameters are present, not null and non-empty. Only when this is true does the authorizer invoke the authorizer Lambda function, otherwise, it returns a 401 Unauthorized response without calling the Lambda function. The valid value is a string of comma-separated mapping expressions of the specified request parameters. When the authorization caching is not enabled, this property is optional. +- `identity_source` (String) The identity source for which authorization is requested. For a ``TOKEN`` or ``COGNITO_USER_POOLS`` authorizer, this is required and specifies the request header mapping expression for the custom header holding the authorization token submitted by the client. For example, if the token header name is ``Auth``, the header mapping expression is ``method.request.header.Auth``. For the ``REQUEST`` authorizer, this is required when authorization caching is enabled. The value is a comma-separated string of one or more mapping expressions of the specified request parameters. For example, if an ``Auth`` header, a ``Name`` query string parameter are defined as identity sources, this value is ``method.request.header.Auth, method.request.querystring.Name``. These parameters will be used to derive the authorization caching key and to perform runtime validation of the ``REQUEST`` authorizer by verifying all of the identity-related request parameters are present, not null and non-empty. Only when thi - `identity_validation_expression` (String) A validation expression for the incoming identity token. For ``TOKEN`` authorizers, this value is a regular expression. For ``COGNITO_USER_POOLS`` authorizers, API Gateway will match the ``aud`` field of the incoming token from the client against the specified regular expression. It will invoke the authorizer's Lambda function when there is a match. Otherwise, it will return a 401 Unauthorized response without calling the Lambda function. The validation expression does not apply to the ``REQUEST`` authorizer. - `provider_ar_ns` (Set of String) A list of the Amazon Cognito user pool ARNs for the ``COGNITO_USER_POOLS`` authorizer. Each element is of this format: ``arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}``. For a ``TOKEN`` or ``REQUEST`` authorizer, this is not defined. diff --git a/docs/resources/apigateway_method.md b/docs/resources/apigateway_method.md index d1071fd906..be233ad4cb 100644 --- a/docs/resources/apigateway_method.md +++ b/docs/resources/apigateway_method.md @@ -107,12 +107,12 @@ Optional: - `credentials` (String) Specifies the credentials required for the integration, if any. For AWS integrations, three options are available. To specify an IAM Role for API Gateway to assume, use the role's Amazon Resource Name (ARN). To require that the caller's identity be passed through from the request, specify the string ``arn:aws:iam::\*:user/\*``. To use resource-based permissions on supported AWS services, specify null. - `integration_http_method` (String) Specifies the integration's HTTP method type. For the Type property, if you specify ``MOCK``, this property is optional. For Lambda integrations, you must set the integration method to ``POST``. For all other types, you must specify this property. - `integration_responses` (Attributes List) Specifies the integration's responses. (see [below for nested schema](#nestedatt--integration--integration_responses)) -- `passthrough_behavior` (String) Specifies how the method request body of an unmapped content type will be passed through the integration request to the back end without transformation. A content type is unmapped if no mapping template is defined in the integration or the content type does not match any of the mapped content types, as specified in ``requestTemplates``. The valid value is one of the following: ``WHEN_NO_MATCH``: passes the method request body through the integration request to the back end without transformation when the method request content type does not match any content type associated with the mapping templates defined in the integration request. ``WHEN_NO_TEMPLATES``: passes the method request body through the integration request to the back end without transformation when no mapping template is defined in the integration request. If a template is defined when this option is selected, the method request of an unmapped content-type will be rejected with an HTTP 415 Unsupported Media Type response. ``NEVER``: rejects the method request with an HTTP 415 Unsupported Media Type response when either the method request content type does not match any content type associated with the mapping templates defined in the integration request or no mapping template is defined in the integration request. +- `passthrough_behavior` (String) Specifies how the method request body of an unmapped content type will be passed through the integration request to the back end without transformation. A content type is unmapped if no mapping template is defined in the integration or the content type does not match any of the mapped content types, as specified in ``requestTemplates``. The valid value is one of the following: ``WHEN_NO_MATCH``: passes the method request body through the integration request to the back end without transformation when the method request content type does not match any content type associated with the mapping templates defined in the integration request. ``WHEN_NO_TEMPLATES``: passes the method request body through the integration request to the back end without transformation when no mapping template is defined in the integration request. If a template is defined when this option is selected, the method request of an unmapped content-type will be rejected with an HTTP 415 Unsupported Media Type response - `request_parameters` (Map of String) A key-value map specifying request parameters that are passed from the method request to the back end. The key is an integration request parameter name and the associated value is a method request parameter value or static value that must be enclosed within single quotes and pre-encoded as required by the back end. The method request parameter value must match the pattern of ``method.request.{location}.{name}``, where ``location`` is ``querystring``, ``path``, or ``header`` and ``name`` must be a valid and unique method request parameter name. - `request_templates` (Map of String) Represents a map of Velocity templates that are applied on the request payload based on the value of the Content-Type header sent by the client. The content type value is the key in this map, and the template (as a String) is the value. - `timeout_in_millis` (Number) Custom timeout between 50 and 29,000 milliseconds. The default value is 29,000 milliseconds or 29 seconds. - `uri` (String) Specifies Uniform Resource Identifier (URI) of the integration endpoint. - For ``HTTP`` or ``HTTP_PROXY`` integrations, the URI must be a fully formed, encoded HTTP(S) URL according to the RFC-3986 specification for standard integrations. If ``connectionType`` is ``VPC_LINK`` specify the Network Load Balancer DNS name. For ``AWS`` or ``AWS_PROXY`` integrations, the URI is of the form ``arn:aws:apigateway:{region}:{subdomain.service|service}:path|action/{service_api}``. Here, {Region} is the API Gateway region (e.g., us-east-1); {service} is the name of the integrated AWS service (e.g., s3); and {subdomain} is a designated subdomain supported by certain AWS service for fast host-name lookup. action can be used for an AWS service action-based API, using an Action={name}&{p1}={v1}&p2={v2}... query string. The ensuing {service_api} refers to a supported action {name} plus any required input parameters. Alternatively, path can be used for an AWS service path-based API. The ensuing service_api refers to the path to an AWS service resource, including the region of the integrated AWS service, if applicable. For example, for integration with the S3 API of GetObject, the uri can be either ``arn:aws:apigateway:us-west-2:s3:action/GetObject&Bucket={bucket}&Key={key}`` or ``arn:aws:apigateway:us-west-2:s3:path/{bucket}/{key}`` + For ``HTTP`` or ``HTTP_PROXY`` integrations, the URI must be a fully formed, encoded HTTP(S) URL according to the RFC-3986 specification for standard integrations. If ``connectionType`` is ``VPC_LINK`` specify the Network Load Balancer DNS name. For ``AWS`` or ``AWS_PROXY`` integrations, the URI is of the form ``arn:aws:apigateway:{region}:{subdomain.service|service}:path|action/{service_api}``. Here, {Region} is the API Gateway region (e.g., us-east-1); {service} is the name of the integrated AWS service (e.g., s3); and {subdomain} is a designated subdomain supported by certain AWS service for fast host-name lookup. action can be used for an AWS service action-based API, using an Action={name}&{p1}={v1}&p2={v2}... query string. The ensuing {service_api} refers to a supported action {name} plus any required input parameters. Alternatively, path can be used for an AWS service path-based API. The ensuing service_ap ### Nested Schema for `integration.integration_responses` diff --git a/docs/resources/appsync_resolver.md b/docs/resources/appsync_resolver.md index ddada6213b..bd0e2a03fb 100644 --- a/docs/resources/appsync_resolver.md +++ b/docs/resources/appsync_resolver.md @@ -3,12 +3,16 @@ page_title: "awscc_appsync_resolver Resource - terraform-provider-awscc" subcategory: "" description: |- - Resource Type definition for AWS::AppSync::Resolver + The AWS::AppSync::Resolver resource defines the logical GraphQL resolver that you attach to fields in a schema. Request and response templates for resolvers are written in Apache Velocity Template Language (VTL) format. For more information about resolvers, see Resolver Mapping Template Reference https://docs.aws.amazon.com/appsync/latest/devguide/resolver-mapping-template-reference.html. + When you submit an update, CFNLong updates resources based on differences between what you submit and the stack's current template. To cause this resource to be updated you must change a property value for this resource in the CFNshort template. Changing the S3 file content without changing a property value will not result in an update operation. + See Update Behaviors of Stack Resources https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html in the User Guide. --- # awscc_appsync_resolver (Resource) -Resource Type definition for AWS::AppSync::Resolver +The ``AWS::AppSync::Resolver`` resource defines the logical GraphQL resolver that you attach to fields in a schema. Request and response templates for resolvers are written in Apache Velocity Template Language (VTL) format. For more information about resolvers, see [Resolver Mapping Template Reference](https://docs.aws.amazon.com/appsync/latest/devguide/resolver-mapping-template-reference.html). + When you submit an update, CFNLong updates resources based on differences between what you submit and the stack's current template. To cause this resource to be updated you must change a property value for this resource in the CFNshort template. Changing the S3 file content without changing a property value will not result in an update operation. + See [Update Behaviors of Stack Resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html) in the *User Guide*. @@ -17,41 +21,47 @@ Resource Type definition for AWS::AppSync::Resolver ### Required -- `api_id` (String) The AWS AppSync GraphQL API to which you want to attach this resolver. +- `api_id` (String) The APSYlong GraphQL API to which you want to attach this resolver. - `field_name` (String) The GraphQL field on a type that invokes the resolver. - `type_name` (String) The GraphQL type that invokes this resolver. ### Optional - `caching_config` (Attributes) The caching configuration for the resolver. (see [below for nested schema](#nestedatt--caching_config)) -- `code` (String) The resolver code that contains the request and response functions. When code is used, the runtime is required. +- `code` (String) The ``resolver`` code that contains the request and response functions. When code is used, the ``runtime`` is required. The runtime value must be ``APPSYNC_JS``. - `code_s3_location` (String) The Amazon S3 endpoint. - `data_source_name` (String) The resolver data source name. - `kind` (String) The resolver type. -- `max_batch_size` (Number) The maximum number of resolver request inputs that will be sent to a single AWS Lambda function in a BatchInvoke operation. + + *UNIT*: A UNIT resolver type. A UNIT resolver is the default resolver type. You can use a UNIT resolver to run a GraphQL query against a single data source. + + *PIPELINE*: A PIPELINE resolver type. You can use a PIPELINE resolver to invoke a series of ``Function`` objects in a serial manner. You can use a pipeline resolver to run a GraphQL query against multiple data sources. +- `max_batch_size` (Number) The maximum number of resolver request inputs that will be sent to a single LAMlong function in a ``BatchInvoke`` operation. +- `metrics_config` (String) - `pipeline_config` (Attributes) Functions linked with the pipeline resolver. (see [below for nested schema](#nestedatt--pipeline_config)) -- `request_mapping_template` (String) Request mapping templates are optional when using a Lambda data source. For all other data sources, a request mapping template is required. -- `request_mapping_template_s3_location` (String) The location of a request mapping template in an Amazon S3 bucket. Use this if you want to provision with a template file in Amazon S3 rather than embedding it in your CloudFormation template. +- `request_mapping_template` (String) The request mapping template. + Request mapping templates are optional when using a Lambda data source. For all other data sources, a request mapping template is required. +- `request_mapping_template_s3_location` (String) The location of a request mapping template in an S3 bucket. Use this if you want to provision with a template file in S3 rather than embedding it in your CFNshort template. - `response_mapping_template` (String) The response mapping template. -- `response_mapping_template_s3_location` (String) The location of a response mapping template in an Amazon S3 bucket. Use this if you want to provision with a template file in Amazon S3 rather than embedding it in your CloudFormation template. -- `runtime` (Attributes) Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified. (see [below for nested schema](#nestedatt--runtime)) -- `sync_config` (Attributes) The SyncConfig for a resolver attached to a versioned data source. (see [below for nested schema](#nestedatt--sync_config)) +- `response_mapping_template_s3_location` (String) The location of a response mapping template in an S3 bucket. Use this if you want to provision with a template file in S3 rather than embedding it in your CFNshort template. +- `runtime` (Attributes) Describes a runtime used by an APSYlong resolver or APSYlong function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified. (see [below for nested schema](#nestedatt--runtime)) +- `sync_config` (Attributes) The ``SyncConfig`` for a resolver attached to a versioned data source. (see [below for nested schema](#nestedatt--sync_config)) ### Read-Only - `id` (String) Uniquely identifies the resource. -- `resolver_arn` (String) The Amazon Resource Name (ARN) for the resolver. +- `resolver_arn` (String) ### Nested Schema for `caching_config` Required: -- `ttl` (Number) The TTL in seconds for a resolver that has caching activated. Valid values are 1-36.00 seconds. +- `ttl` (Number) The TTL in seconds for a resolver that has caching activated. + Valid values are 1?3,600 seconds. Optional: -- `caching_keys` (List of String) The caching keys for a resolver that has caching activated. Valid values are entries from the $context.arguments, $context.source, and $context.identity maps. +- `caching_keys` (List of String) The caching keys for a resolver that has caching activated. + Valid values are entries from the ``$context.arguments``, ``$context.source``, and ``$context.identity`` maps. @@ -59,7 +69,7 @@ Optional: Optional: -- `functions` (List of String) A list of Function objects. +- `functions` (List of String) A list of ``Function`` objects. @@ -67,8 +77,8 @@ Optional: Required: -- `name` (String) The name of the runtime to use. -- `runtime_version` (String) The version of the runtime to use. +- `name` (String) The ``name`` of the runtime to use. Currently, the only allowed value is ``APPSYNC_JS``. +- `runtime_version` (String) The ``version`` of the runtime to use. Currently, the only allowed version is ``1.0.0``. @@ -77,11 +87,16 @@ Required: Required: - `conflict_detection` (String) The Conflict Detection strategy to use. + + *VERSION*: Detect conflicts based on object versions for this resolver. + + *NONE*: Do not detect conflicts when invoking this resolver. Optional: - `conflict_handler` (String) The Conflict Resolution strategy to perform in the event of a conflict. -- `lambda_conflict_handler_config` (Attributes) The LambdaConflictHandlerConfig when configuring LAMBDA as the Conflict Handler. (see [below for nested schema](#nestedatt--sync_config--lambda_conflict_handler_config)) + + *OPTIMISTIC_CONCURRENCY*: Resolve conflicts by rejecting mutations when versions don't match the latest version at the server. + + *AUTOMERGE*: Resolve conflicts with the Automerge conflict resolution strategy. + + *LAMBDA*: Resolve conflicts with an LAMlong function supplied in the ``LambdaConflictHandlerConfig``. +- `lambda_conflict_handler_config` (Attributes) The ``LambdaConflictHandlerConfig`` when configuring ``LAMBDA`` as the Conflict Handler. (see [below for nested schema](#nestedatt--sync_config--lambda_conflict_handler_config)) ### Nested Schema for `sync_config.lambda_conflict_handler_config` diff --git a/docs/resources/batch_job_definition.md b/docs/resources/batch_job_definition.md index 4bd2bf3b76..ebe20e012d 100644 --- a/docs/resources/batch_job_definition.md +++ b/docs/resources/batch_job_definition.md @@ -60,6 +60,7 @@ Optional: - `network_configuration` (Attributes) (see [below for nested schema](#nestedatt--container_properties--network_configuration)) - `privileged` (Boolean) - `readonly_root_filesystem` (Boolean) +- `repository_credentials` (Attributes) (see [below for nested schema](#nestedatt--container_properties--repository_credentials)) - `resource_requirements` (Attributes List) (see [below for nested schema](#nestedatt--container_properties--resource_requirements)) - `runtime_platform` (Attributes) (see [below for nested schema](#nestedatt--container_properties--runtime_platform)) - `secrets` (Attributes List) (see [below for nested schema](#nestedatt--container_properties--secrets)) @@ -169,6 +170,14 @@ Optional: - `assign_public_ip` (String) + +### Nested Schema for `container_properties.repository_credentials` + +Required: + +- `credentials_parameter` (String) + + ### Nested Schema for `container_properties.resource_requirements` @@ -426,6 +435,7 @@ Optional: - `network_configuration` (Attributes) (see [below for nested schema](#nestedatt--node_properties--node_range_properties--container--network_configuration)) - `privileged` (Boolean) - `readonly_root_filesystem` (Boolean) +- `repository_credentials` (Attributes) (see [below for nested schema](#nestedatt--node_properties--node_range_properties--container--repository_credentials)) - `resource_requirements` (Attributes List) (see [below for nested schema](#nestedatt--node_properties--node_range_properties--container--resource_requirements)) - `runtime_platform` (Attributes) (see [below for nested schema](#nestedatt--node_properties--node_range_properties--container--runtime_platform)) - `secrets` (Attributes List) (see [below for nested schema](#nestedatt--node_properties--node_range_properties--container--secrets)) @@ -535,6 +545,14 @@ Optional: - `assign_public_ip` (String) + +### Nested Schema for `node_properties.node_range_properties.container.volumes` + +Required: + +- `credentials_parameter` (String) + + ### Nested Schema for `node_properties.node_range_properties.container.volumes` diff --git a/docs/resources/cloudfront_distribution.md b/docs/resources/cloudfront_distribution.md index 463e43b573..82e18687b8 100644 --- a/docs/resources/cloudfront_distribution.md +++ b/docs/resources/cloudfront_distribution.md @@ -3,12 +3,12 @@ page_title: "awscc_cloudfront_distribution Resource - terraform-provider-awscc" subcategory: "" description: |- - Resource Type definition for AWS::CloudFront::Distribution + A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery. --- # awscc_cloudfront_distribution (Resource) -Resource Type definition for AWS::CloudFront::Distribution +A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery. @@ -17,11 +17,11 @@ Resource Type definition for AWS::CloudFront::Distribution ### Required -- `distribution_config` (Attributes) (see [below for nested schema](#nestedatt--distribution_config)) +- `distribution_config` (Attributes) The distribution's configuration. (see [below for nested schema](#nestedatt--distribution_config)) ### Optional -- `tags` (Attributes List) (see [below for nested schema](#nestedatt--tags)) +- `tags` (Attributes List) A complex type that contains zero or more ``Tag`` elements. (see [below for nested schema](#nestedatt--tags)) ### Read-Only @@ -33,82 +33,142 @@ Resource Type definition for AWS::CloudFront::Distribution Required: -- `default_cache_behavior` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--default_cache_behavior)) -- `enabled` (Boolean) +- `default_cache_behavior` (Attributes) A complex type that describes the default cache behavior if you don't specify a ``CacheBehavior`` element or if files don't match any of the values of ``PathPattern`` in ``CacheBehavior`` elements. You must create exactly one default cache behavior. (see [below for nested schema](#nestedatt--distribution_config--default_cache_behavior)) +- `enabled` (Boolean) From this field, you can enable or disable the selected distribution. Optional: -- `aliases` (List of String) -- `cache_behaviors` (Attributes List) (see [below for nested schema](#nestedatt--distribution_config--cache_behaviors)) +- `aliases` (List of String) A complex type that contains information about CNAMEs (alternate domain names), if any, for this distribution. +- `cache_behaviors` (Attributes List) A complex type that contains zero or more ``CacheBehavior`` elements. (see [below for nested schema](#nestedatt--distribution_config--cache_behaviors)) - `cnames` (List of String) -- `comment` (String) -- `continuous_deployment_policy_id` (String) -- `custom_error_responses` (Attributes List) (see [below for nested schema](#nestedatt--distribution_config--custom_error_responses)) +- `comment` (String) A comment to describe the distribution. The comment cannot be longer than 128 characters. +- `continuous_deployment_policy_id` (String) The identifier of a continuous deployment policy. For more information, see ``CreateContinuousDeploymentPolicy``. +- `custom_error_responses` (Attributes List) A complex type that controls the following: + + Whether CloudFront replaces HTTP status codes in the 4xx and 5xx range with custom error messages before returning the response to the viewer. + + How long CloudFront caches HTTP status codes in the 4xx and 5xx range. + + For more information about custom error pages, see [Customizing Error Responses](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/custom-error-pages.html) in the *Amazon CloudFront Developer Guide*. (see [below for nested schema](#nestedatt--distribution_config--custom_error_responses)) - `custom_origin` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--custom_origin)) -- `default_root_object` (String) -- `http_version` (String) -- `ipv6_enabled` (Boolean) -- `logging` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--logging)) -- `origin_groups` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--origin_groups)) -- `origins` (Attributes List) (see [below for nested schema](#nestedatt--distribution_config--origins)) -- `price_class` (String) -- `restrictions` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--restrictions)) +- `default_root_object` (String) The object that you want CloudFront to request from your origin (for example, ``index.html``) when a viewer requests the root URL for your distribution (``https://www.example.com``) instead of an object in your distribution (``https://www.example.com/product-description.html``). Specifying a default root object avoids exposing the contents of your distribution. + Specify only the object name, for example, ``index.html``. Don't add a ``/`` before the object name. + If you don't want to specify a default root object when you create a distribution, include an empty ``DefaultRootObject`` element. + To delete the default root object from an existing distribution, update the distribution configuration and include an empty ``DefaultRootObject`` element. + To replace the default root object, update the distribution configuration and specify the new object. + For more information about the default root object, see [Creating a Default Root Object](https://docs.aws.amazon.com/AmazonCloudFront/latest/D +- `http_version` (String) (Optional) Specify the maximum HTTP version(s) that you want viewers to use to communicate with CF. The default value for new distributions is ``http1.1``. + For viewers and CF to use HTTP/2, viewers must support TLSv1.2 or later, and must support Server Name Indication (SNI). + For viewers and CF to use HTTP/3, viewers must support TLSv1.3 and Server Name Indication (SNI). CF supports HTTP/3 connection migration to allow the viewer to switch networks without losing connection. For more information about connection migration, see [Connection Migration](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc9000.html#name-connection-migration) at RFC 9000. For more information about supported TLSv1.3 ciphers, see [Supported protocols and ciphers between viewers and CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html). +- `ipv6_enabled` (Boolean) If you want CloudFront to respond to IPv6 DNS requests with an IPv6 address for your distribution, specify ``true``. If you specify ``false``, CloudFront responds to IPv6 DNS requests with the DNS response code ``NOERROR`` and with no IP addresses. This allows viewers to submit a second request, for an IPv4 address for your distribution. + In general, you should enable IPv6 if you have users on IPv6 networks who want to access your content. However, if you're using signed URLs or signed cookies to restrict access to your content, and if you're using a custom policy that includes the ``IpAddress`` parameter to restrict the IP addresses that can access your content, don't enable IPv6. If you want to restrict access to some content by IP address and not restrict access to other content (or restrict access but not by IP address), you can create two distributions. For more information, see [Creating a Signed URL Using a Custom Policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/Devel +- `logging` (Attributes) A complex type that controls whether access logs are written for the distribution. + For more information about logging, see [Access Logs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html) in the *Amazon CloudFront Developer Guide*. (see [below for nested schema](#nestedatt--distribution_config--logging)) +- `origin_groups` (Attributes) A complex type that contains information about origin groups for this distribution. (see [below for nested schema](#nestedatt--distribution_config--origin_groups)) +- `origins` (Attributes List) A complex type that contains information about origins for this distribution. (see [below for nested schema](#nestedatt--distribution_config--origins)) +- `price_class` (String) The price class that corresponds with the maximum price that you want to pay for CloudFront service. If you specify ``PriceClass_All``, CloudFront responds to requests for your objects from all CloudFront edge locations. + If you specify a price class other than ``PriceClass_All``, CloudFront serves your objects from the CloudFront edge location that has the lowest latency among the edge locations in your price class. Viewers who are in or near regions that are excluded from your specified price class may encounter slower performance. + For more information about price classes, see [Choosing the Price Class for a CloudFront Distribution](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PriceClass.html) in the *Amazon CloudFront Developer Guide*. For information about CloudFront pricing, including how price classes (such as Price Class 100) map to CloudFront regions, see [Amazon CloudFront Pricing](https://docs.aws.amazon.com/cloudfront/pricing/). +- `restrictions` (Attributes) A complex type that identifies ways in which you want to restrict distribution of your content. (see [below for nested schema](#nestedatt--distribution_config--restrictions)) - `s3_origin` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--s3_origin)) -- `staging` (Boolean) -- `viewer_certificate` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--viewer_certificate)) -- `web_acl_id` (String) +- `staging` (Boolean) A Boolean that indicates whether this is a staging distribution. When this value is ``true``, this is a staging distribution. When this value is ``false``, this is not a staging distribution. +- `viewer_certificate` (Attributes) A complex type that determines the distribution's SSL/TLS configuration for communicating with viewers. (see [below for nested schema](#nestedatt--distribution_config--viewer_certificate)) +- `web_acl_id` (String) A unique identifier that specifies the WAF web ACL, if any, to associate with this distribution. To specify a web ACL created using the latest version of WAF, use the ACL ARN, for example ``arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a``. To specify a web ACL created using WAF Classic, use the ACL ID, for example ``473e64fd-f30b-4765-81a0-62ad96dd167a``. + WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to CloudFront, and lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, CloudFront responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You can also configure CloudFront to return a custom error page when a request is blocked. For more information about WAF, see the [Developer Guide](https://docs.aws.amazon.com/waf/latest ### Nested Schema for `distribution_config.default_cache_behavior` Required: -- `target_origin_id` (String) -- `viewer_protocol_policy` (String) +- `target_origin_id` (String) The value of ``ID`` for the origin that you want CloudFront to route requests to when they use the default cache behavior. +- `viewer_protocol_policy` (String) The protocol that viewers can use to access the files in the origin specified by ``TargetOriginId`` when a request matches the path pattern in ``PathPattern``. You can specify the following options: + + ``allow-all``: Viewers can use HTTP or HTTPS. + + ``redirect-to-https``: If a viewer submits an HTTP request, CloudFront returns an HTTP status code of 301 (Moved Permanently) to the viewer along with the HTTPS URL. The viewer then resubmits the request using the new URL. + + ``https-only``: If a viewer sends an HTTP request, CloudFront returns an HTTP status code of 403 (Forbidden). + + For more information about requiring the HTTPS protocol, see [Requiring HTTPS Between Viewers and CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html) in the *Amazon CloudFront Developer Guide*. + The only way to guarantee that viewers retrieve an object that was fetched from the origin using HTTPS is never to use any other protocol Optional: -- `allowed_methods` (List of String) -- `cache_policy_id` (String) -- `cached_methods` (List of String) -- `compress` (Boolean) -- `default_ttl` (Number) -- `field_level_encryption_id` (String) -- `forwarded_values` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--default_cache_behavior--forwarded_values)) -- `function_associations` (Attributes List) (see [below for nested schema](#nestedatt--distribution_config--default_cache_behavior--function_associations)) -- `lambda_function_associations` (Attributes List) (see [below for nested schema](#nestedatt--distribution_config--default_cache_behavior--lambda_function_associations)) -- `max_ttl` (Number) -- `min_ttl` (Number) -- `origin_request_policy_id` (String) -- `realtime_log_config_arn` (String) -- `response_headers_policy_id` (String) -- `smooth_streaming` (Boolean) -- `trusted_key_groups` (List of String) -- `trusted_signers` (List of String) +- `allowed_methods` (List of String) A complex type that controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin. There are three choices: + + CloudFront forwards only ``GET`` and ``HEAD`` requests. + + CloudFront forwards only ``GET``, ``HEAD``, and ``OPTIONS`` requests. + + CloudFront forwards ``GET, HEAD, OPTIONS, PUT, PATCH, POST``, and ``DELETE`` requests. + + If you pick the third choice, you may need to restrict access to your Amazon S3 bucket or to your custom origin so users can't perform operations that you don't want them to. For example, you might not want users to have permissions to delete objects from your origin. +- `cache_policy_id` (String) The unique identifier of the cache policy that is attached to the default cache behavior. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) or [Using the managed cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html) in the *Amazon CloudFront Developer Guide*. + A ``DefaultCacheBehavior`` must include either a ``CachePolicyId`` or ``ForwardedValues``. We recommend that you use a ``CachePolicyId``. +- `cached_methods` (List of String) A complex type that controls whether CloudFront caches the response to requests using the specified HTTP methods. There are two choices: + + CloudFront caches responses to ``GET`` and ``HEAD`` requests. + + CloudFront caches responses to ``GET``, ``HEAD``, and ``OPTIONS`` requests. + + If you pick the second choice for your Amazon S3 Origin, you may need to forward Access-Control-Request-Method, Access-Control-Request-Headers, and Origin headers for the responses to be cached correctly. +- `compress` (Boolean) Whether you want CloudFront to automatically compress certain files for this cache behavior. If so, specify ``true``; if not, specify ``false``. For more information, see [Serving Compressed Files](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html) in the *Amazon CloudFront Developer Guide*. +- `default_ttl` (Number) This field is deprecated. We recommend that you use the ``DefaultTTL`` field in a cache policy instead of this field. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) or [Using the managed cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html) in the *Amazon CloudFront Developer Guide*. + The default amount of time that you want objects to stay in CloudFront caches before CloudFront forwards another request to your origin to determine whether the object has been updated. The value that you specify applies only when your origin does not add HTTP headers such as ``Cache-Control max-age``, ``Cache-Control s-maxage``, and ``Expires`` to objects. For more information, see [Managing How Long Content Stays in an Edge Cache (Expiration)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide +- `field_level_encryption_id` (String) The value of ``ID`` for the field-level encryption configuration that you want CloudFront to use for encrypting specific fields of data for the default cache behavior. +- `forwarded_values` (Attributes) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. For more information, see [Working with policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/working-with-policies.html) in the *Amazon CloudFront Developer Guide*. + If you want to include values in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) or [Using the managed cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html) in the *Amazon CloudFront Developer Guide*. + If you want to send values to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-r (see [below for nested schema](#nestedatt--distribution_config--default_cache_behavior--forwarded_values)) +- `function_associations` (Attributes List) A list of CloudFront functions that are associated with this cache behavior. CloudFront functions must be published to the ``LIVE`` stage to associate them with a cache behavior. (see [below for nested schema](#nestedatt--distribution_config--default_cache_behavior--function_associations)) +- `lambda_function_associations` (Attributes List) A complex type that contains zero or more Lambda@Edge function associations for a cache behavior. (see [below for nested schema](#nestedatt--distribution_config--default_cache_behavior--lambda_function_associations)) +- `max_ttl` (Number) This field is deprecated. We recommend that you use the ``MaxTTL`` field in a cache policy instead of this field. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) or [Using the managed cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html) in the *Amazon CloudFront Developer Guide*. + The maximum amount of time that you want objects to stay in CloudFront caches before CloudFront forwards another request to your origin to determine whether the object has been updated. The value that you specify applies only when your origin adds HTTP headers such as ``Cache-Control max-age``, ``Cache-Control s-maxage``, and ``Expires`` to objects. For more information, see [Managing How Long Content Stays in an Edge Cache (Expiration)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Expiration. +- `min_ttl` (Number) This field is deprecated. We recommend that you use the ``MinTTL`` field in a cache policy instead of this field. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) or [Using the managed cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html) in the *Amazon CloudFront Developer Guide*. + The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront forwards another request to your origin to determine whether the object has been updated. For more information, see [Managing How Long Content Stays in an Edge Cache (Expiration)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Expiration.html) in the *Amazon CloudFront Developer Guide*. + You must specify ``0`` for ``MinTTL`` if you configure CloudFront to forward all headers to your origin (under ``He +- `origin_request_policy_id` (String) The unique identifier of the origin request policy that is attached to the default cache behavior. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) or [Using the managed origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html) in the *Amazon CloudFront Developer Guide*. +- `realtime_log_config_arn` (String) The Amazon Resource Name (ARN) of the real-time log configuration that is attached to this cache behavior. For more information, see [Real-time logs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html) in the *Amazon CloudFront Developer Guide*. +- `response_headers_policy_id` (String) The identifier for a response headers policy. +- `smooth_streaming` (Boolean) Indicates whether you want to distribute media files in the Microsoft Smooth Streaming format using the origin that is associated with this cache behavior. If so, specify ``true``; if not, specify ``false``. If you specify ``true`` for ``SmoothStreaming``, you can still distribute other content using this cache behavior if the content matches the value of ``PathPattern``. +- `trusted_key_groups` (List of String) A list of key groups that CloudFront can use to validate signed URLs or signed cookies. + When a cache behavior contains trusted key groups, CloudFront requires signed URLs or signed cookies for all requests that match the cache behavior. The URLs or cookies must be signed with a private key whose corresponding public key is in the key group. The signed URL or cookie contains information about which public key CloudFront should use to verify the signature. For more information, see [Serving private content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html) in the *Amazon CloudFront Developer Guide*. +- `trusted_signers` (List of String) We recommend using ``TrustedKeyGroups`` instead of ``TrustedSigners``. + A list of AWS-account IDs whose public keys CloudFront can use to validate signed URLs or signed cookies. + When a cache behavior contains trusted signers, CloudFront requires signed URLs or signed cookies for all requests that match the cache behavior. The URLs or cookies must be signed with the private key of a CloudFront key pair in a trusted signer's AWS-account. The signed URL or cookie contains information about which public key CloudFront should use to verify the signature. For more information, see [Serving private content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html) in the *Amazon CloudFront Developer Guide*. ### Nested Schema for `distribution_config.default_cache_behavior.forwarded_values` Required: -- `query_string` (Boolean) +- `query_string` (Boolean) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. + If you want to include query strings in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide*. + If you want to send query strings to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide*. + Indicates whether you want CloudFront to forward query strings to the origin that is associated with this cache behavior and cache based on the query string parameters. CloudFront behavior depends on the value of Optional: -- `cookies` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--default_cache_behavior--forwarded_values--cookies)) -- `headers` (List of String) -- `query_string_cache_keys` (List of String) +- `cookies` (Attributes) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. + If you want to include cookies in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide*. + If you want to send cookies to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide*. + A complex type that specifies whether you want CloudFront to forward cookies to the origin and, if so, which ones. For more information about forwarding cookies to the origin, see [How CloudFront Forwards, Caches, and Logs C (see [below for nested schema](#nestedatt--distribution_config--default_cache_behavior--forwarded_values--cookies)) +- `headers` (List of String) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. + If you want to include headers in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide*. + If you want to send headers to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide*. + A complex type that specifies the ``Headers``, if any, that you want CloudFront to forward to the origin for this cache behavior (whitelisted headers). For the headers that you specify, CloudFront also caches separate versio +- `query_string_cache_keys` (List of String) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. + If you want to include query strings in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide*. + If you want to send query strings to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide*. + A complex type that contains information about the query string parameters that you want CloudFront to use for caching for this cache behavior. ### Nested Schema for `distribution_config.default_cache_behavior.forwarded_values.query_string_cache_keys` Required: -- `forward` (String) +- `forward` (String) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. + If you want to include cookies in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide*. + If you want to send cookies to the origin but not include them in the cache key, use origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide*. + Specifies which cookies to forward to the origin for this cache behavior: all, none, or the list of cookies specified in the ``WhitelistedNames`` complex type. + Amazon S3 doesn't process cookies. When the cache behavior is forw Optional: -- `whitelisted_names` (List of String) +- `whitelisted_names` (List of String) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. + If you want to include cookies in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide*. + If you want to send cookies to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide*. + Required if you specify ``whitelist`` for the value of ``Forward``. A complex type that specifies how many different cookies you want CloudFront to forward to the origin for this cache behavior and, if you want to forward se @@ -117,8 +177,8 @@ Optional: Optional: -- `event_type` (String) -- `function_arn` (String) +- `event_type` (String) The event type of the function, either ``viewer-request`` or ``viewer-response``. You cannot use origin-facing event types (``origin-request`` and ``origin-response``) with a CloudFront function. +- `function_arn` (String) The Amazon Resource Name (ARN) of the function. @@ -126,9 +186,14 @@ Optional: Optional: -- `event_type` (String) -- `include_body` (Boolean) -- `lambda_function_arn` (String) +- `event_type` (String) Specifies the event type that triggers a Lambda@Edge function invocation. You can specify the following values: + + ``viewer-request``: The function executes when CloudFront receives a request from a viewer and before it checks to see whether the requested object is in the edge cache. + + ``origin-request``: The function executes only when CloudFront sends a request to your origin. When the requested object is in the edge cache, the function doesn't execute. + + ``origin-response``: The function executes after CloudFront receives a response from the origin and before it caches the object in the response. When the requested object is in the edge cache, the function doesn't execute. + + ``viewer-response``: The function executes before CloudFront returns the requested object to the viewer. The function executes regardless of whether the object was already in the edge cache. + If the origin returns an HTTP status code other than HTTP 200 (OK), the function doesn't execute. +- `include_body` (Boolean) A flag that allows a Lambda@Edge function to have read access to the body content. For more information, see [Accessing the Request Body by Choosing the Include Body Option](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-include-body-access.html) in the Amazon CloudFront Developer Guide. +- `lambda_function_arn` (String) The ARN of the Lambda@Edge function. You must specify the ARN of a function version; you can't specify an alias or $LATEST. @@ -137,53 +202,100 @@ Optional: Required: -- `path_pattern` (String) -- `target_origin_id` (String) -- `viewer_protocol_policy` (String) +- `path_pattern` (String) The pattern (for example, ``images/*.jpg``) that specifies which requests to apply the behavior to. When CloudFront receives a viewer request, the requested path is compared with path patterns in the order in which cache behaviors are listed in the distribution. + You can optionally include a slash (``/``) at the beginning of the path pattern. For example, ``/images/*.jpg``. CloudFront behavior is the same with or without the leading ``/``. + The path pattern for the default cache behavior is ``*`` and cannot be changed. If the request for an object does not match the path pattern for any cache behaviors, CloudFront applies the behavior in the default cache behavior. + For more information, see [Path Pattern](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesPathPattern) in the *Amazon CloudFront Developer Guide*. +- `target_origin_id` (String) The value of ``ID`` for the origin that you want CloudFront to route requests to when they match this cache behavior. +- `viewer_protocol_policy` (String) The protocol that viewers can use to access the files in the origin specified by ``TargetOriginId`` when a request matches the path pattern in ``PathPattern``. You can specify the following options: + + ``allow-all``: Viewers can use HTTP or HTTPS. + + ``redirect-to-https``: If a viewer submits an HTTP request, CloudFront returns an HTTP status code of 301 (Moved Permanently) to the viewer along with the HTTPS URL. The viewer then resubmits the request using the new URL. + + ``https-only``: If a viewer sends an HTTP request, CloudFront returns an HTTP status code of 403 (Forbidden). + + For more information about requiring the HTTPS protocol, see [Requiring HTTPS Between Viewers and CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html) in the *Amazon CloudFront Developer Guide*. + The only way to guarantee that viewers retrieve an object that was fetched from the origin using HTTPS is never to use any other protocol Optional: -- `allowed_methods` (List of String) -- `cache_policy_id` (String) -- `cached_methods` (List of String) -- `compress` (Boolean) -- `default_ttl` (Number) -- `field_level_encryption_id` (String) -- `forwarded_values` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--cache_behaviors--forwarded_values)) -- `function_associations` (Attributes List) (see [below for nested schema](#nestedatt--distribution_config--cache_behaviors--function_associations)) -- `lambda_function_associations` (Attributes List) (see [below for nested schema](#nestedatt--distribution_config--cache_behaviors--lambda_function_associations)) -- `max_ttl` (Number) -- `min_ttl` (Number) -- `origin_request_policy_id` (String) -- `realtime_log_config_arn` (String) -- `response_headers_policy_id` (String) -- `smooth_streaming` (Boolean) -- `trusted_key_groups` (List of String) -- `trusted_signers` (List of String) +- `allowed_methods` (List of String) A complex type that controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin. There are three choices: + + CloudFront forwards only ``GET`` and ``HEAD`` requests. + + CloudFront forwards only ``GET``, ``HEAD``, and ``OPTIONS`` requests. + + CloudFront forwards ``GET, HEAD, OPTIONS, PUT, PATCH, POST``, and ``DELETE`` requests. + + If you pick the third choice, you may need to restrict access to your Amazon S3 bucket or to your custom origin so users can't perform operations that you don't want them to. For example, you might not want users to have permissions to delete objects from your origin. +- `cache_policy_id` (String) The unique identifier of the cache policy that is attached to this cache behavior. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) or [Using the managed cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html) in the *Amazon CloudFront Developer Guide*. + A ``CacheBehavior`` must include either a ``CachePolicyId`` or ``ForwardedValues``. We recommend that you use a ``CachePolicyId``. +- `cached_methods` (List of String) A complex type that controls whether CloudFront caches the response to requests using the specified HTTP methods. There are two choices: + + CloudFront caches responses to ``GET`` and ``HEAD`` requests. + + CloudFront caches responses to ``GET``, ``HEAD``, and ``OPTIONS`` requests. + + If you pick the second choice for your Amazon S3 Origin, you may need to forward Access-Control-Request-Method, Access-Control-Request-Headers, and Origin headers for the responses to be cached correctly. +- `compress` (Boolean) Whether you want CloudFront to automatically compress certain files for this cache behavior. If so, specify true; if not, specify false. For more information, see [Serving Compressed Files](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html) in the *Amazon CloudFront Developer Guide*. +- `default_ttl` (Number) This field is deprecated. We recommend that you use the ``DefaultTTL`` field in a cache policy instead of this field. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) or [Using the managed cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html) in the *Amazon CloudFront Developer Guide*. + The default amount of time that you want objects to stay in CloudFront caches before CloudFront forwards another request to your origin to determine whether the object has been updated. The value that you specify applies only when your origin does not add HTTP headers such as ``Cache-Control max-age``, ``Cache-Control s-maxage``, and ``Expires`` to objects. For more information, see [Managing How Long Content Stays in an Edge Cache (Expiration)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide +- `field_level_encryption_id` (String) The value of ``ID`` for the field-level encryption configuration that you want CloudFront to use for encrypting specific fields of data for this cache behavior. +- `forwarded_values` (Attributes) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. For more information, see [Working with policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/working-with-policies.html) in the *Amazon CloudFront Developer Guide*. + If you want to include values in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) or [Using the managed cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html) in the *Amazon CloudFront Developer Guide*. + If you want to send values to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-r (see [below for nested schema](#nestedatt--distribution_config--cache_behaviors--forwarded_values)) +- `function_associations` (Attributes List) A list of CloudFront functions that are associated with this cache behavior. CloudFront functions must be published to the ``LIVE`` stage to associate them with a cache behavior. (see [below for nested schema](#nestedatt--distribution_config--cache_behaviors--function_associations)) +- `lambda_function_associations` (Attributes List) A complex type that contains zero or more Lambda@Edge function associations for a cache behavior. (see [below for nested schema](#nestedatt--distribution_config--cache_behaviors--lambda_function_associations)) +- `max_ttl` (Number) This field is deprecated. We recommend that you use the ``MaxTTL`` field in a cache policy instead of this field. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) or [Using the managed cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html) in the *Amazon CloudFront Developer Guide*. + The maximum amount of time that you want objects to stay in CloudFront caches before CloudFront forwards another request to your origin to determine whether the object has been updated. The value that you specify applies only when your origin adds HTTP headers such as ``Cache-Control max-age``, ``Cache-Control s-maxage``, and ``Expires`` to objects. For more information, see [Managing How Long Content Stays in an Edge Cache (Expiration)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Expiration. +- `min_ttl` (Number) This field is deprecated. We recommend that you use the ``MinTTL`` field in a cache policy instead of this field. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) or [Using the managed cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html) in the *Amazon CloudFront Developer Guide*. + The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront forwards another request to your origin to determine whether the object has been updated. For more information, see [Managing How Long Content Stays in an Edge Cache (Expiration)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Expiration.html) in the *Amazon CloudFront Developer Guide*. + You must specify ``0`` for ``MinTTL`` if you configure CloudFront to forward all headers to your origin (under ``He +- `origin_request_policy_id` (String) The unique identifier of the origin request policy that is attached to this cache behavior. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) or [Using the managed origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html) in the *Amazon CloudFront Developer Guide*. +- `realtime_log_config_arn` (String) The Amazon Resource Name (ARN) of the real-time log configuration that is attached to this cache behavior. For more information, see [Real-time logs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html) in the *Amazon CloudFront Developer Guide*. +- `response_headers_policy_id` (String) The identifier for a response headers policy. +- `smooth_streaming` (Boolean) Indicates whether you want to distribute media files in the Microsoft Smooth Streaming format using the origin that is associated with this cache behavior. If so, specify ``true``; if not, specify ``false``. If you specify ``true`` for ``SmoothStreaming``, you can still distribute other content using this cache behavior if the content matches the value of ``PathPattern``. +- `trusted_key_groups` (List of String) A list of key groups that CloudFront can use to validate signed URLs or signed cookies. + When a cache behavior contains trusted key groups, CloudFront requires signed URLs or signed cookies for all requests that match the cache behavior. The URLs or cookies must be signed with a private key whose corresponding public key is in the key group. The signed URL or cookie contains information about which public key CloudFront should use to verify the signature. For more information, see [Serving private content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html) in the *Amazon CloudFront Developer Guide*. +- `trusted_signers` (List of String) We recommend using ``TrustedKeyGroups`` instead of ``TrustedSigners``. + A list of AWS-account IDs whose public keys CloudFront can use to validate signed URLs or signed cookies. + When a cache behavior contains trusted signers, CloudFront requires signed URLs or signed cookies for all requests that match the cache behavior. The URLs or cookies must be signed with the private key of a CloudFront key pair in the trusted signer's AWS-account. The signed URL or cookie contains information about which public key CloudFront should use to verify the signature. For more information, see [Serving private content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html) in the *Amazon CloudFront Developer Guide*. ### Nested Schema for `distribution_config.cache_behaviors.forwarded_values` Required: -- `query_string` (Boolean) +- `query_string` (Boolean) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. + If you want to include query strings in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide*. + If you want to send query strings to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide*. + Indicates whether you want CloudFront to forward query strings to the origin that is associated with this cache behavior and cache based on the query string parameters. CloudFront behavior depends on the value of Optional: -- `cookies` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--cache_behaviors--forwarded_values--cookies)) -- `headers` (List of String) -- `query_string_cache_keys` (List of String) +- `cookies` (Attributes) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. + If you want to include cookies in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide*. + If you want to send cookies to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide*. + A complex type that specifies whether you want CloudFront to forward cookies to the origin and, if so, which ones. For more information about forwarding cookies to the origin, see [How CloudFront Forwards, Caches, and Logs C (see [below for nested schema](#nestedatt--distribution_config--cache_behaviors--forwarded_values--cookies)) +- `headers` (List of String) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. + If you want to include headers in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide*. + If you want to send headers to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide*. + A complex type that specifies the ``Headers``, if any, that you want CloudFront to forward to the origin for this cache behavior (whitelisted headers). For the headers that you specify, CloudFront also caches separate versio +- `query_string_cache_keys` (List of String) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. + If you want to include query strings in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide*. + If you want to send query strings to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide*. + A complex type that contains information about the query string parameters that you want CloudFront to use for caching for this cache behavior. ### Nested Schema for `distribution_config.cache_behaviors.forwarded_values.query_string_cache_keys` Required: -- `forward` (String) +- `forward` (String) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. + If you want to include cookies in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide*. + If you want to send cookies to the origin but not include them in the cache key, use origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide*. + Specifies which cookies to forward to the origin for this cache behavior: all, none, or the list of cookies specified in the ``WhitelistedNames`` complex type. + Amazon S3 doesn't process cookies. When the cache behavior is forw Optional: -- `whitelisted_names` (List of String) +- `whitelisted_names` (List of String) This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field. + If you want to include cookies in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide*. + If you want to send cookies to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide*. + Required if you specify ``whitelist`` for the value of ``Forward``. A complex type that specifies how many different cookies you want CloudFront to forward to the origin for this cache behavior and, if you want to forward se @@ -192,8 +304,8 @@ Optional: Optional: -- `event_type` (String) -- `function_arn` (String) +- `event_type` (String) The event type of the function, either ``viewer-request`` or ``viewer-response``. You cannot use origin-facing event types (``origin-request`` and ``origin-response``) with a CloudFront function. +- `function_arn` (String) The Amazon Resource Name (ARN) of the function. @@ -201,9 +313,14 @@ Optional: Optional: -- `event_type` (String) -- `include_body` (Boolean) -- `lambda_function_arn` (String) +- `event_type` (String) Specifies the event type that triggers a Lambda@Edge function invocation. You can specify the following values: + + ``viewer-request``: The function executes when CloudFront receives a request from a viewer and before it checks to see whether the requested object is in the edge cache. + + ``origin-request``: The function executes only when CloudFront sends a request to your origin. When the requested object is in the edge cache, the function doesn't execute. + + ``origin-response``: The function executes after CloudFront receives a response from the origin and before it caches the object in the response. When the requested object is in the edge cache, the function doesn't execute. + + ``viewer-response``: The function executes before CloudFront returns the requested object to the viewer. The function executes regardless of whether the object was already in the edge cache. + If the origin returns an HTTP status code other than HTTP 200 (OK), the function doesn't execute. +- `include_body` (Boolean) A flag that allows a Lambda@Edge function to have read access to the body content. For more information, see [Accessing the Request Body by Choosing the Include Body Option](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-include-body-access.html) in the Amazon CloudFront Developer Guide. +- `lambda_function_arn` (String) The ARN of the Lambda@Edge function. You must specify the ARN of a function version; you can't specify an alias or $LATEST. @@ -212,13 +329,24 @@ Optional: Required: -- `error_code` (Number) +- `error_code` (Number) The HTTP status code for which you want to specify a custom error page and/or a caching duration. Optional: -- `error_caching_min_ttl` (Number) -- `response_code` (Number) -- `response_page_path` (String) +- `error_caching_min_ttl` (Number) The minimum amount of time, in seconds, that you want CloudFront to cache the HTTP status code specified in ``ErrorCode``. When this time period has elapsed, CloudFront queries your origin to see whether the problem that caused the error has been resolved and the requested object is now available. + For more information, see [Customizing Error Responses](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/custom-error-pages.html) in the *Amazon CloudFront Developer Guide*. +- `response_code` (Number) The HTTP status code that you want CloudFront to return to the viewer along with the custom error page. There are a variety of reasons that you might want CloudFront to return a status code different from the status code that your origin returned to CloudFront, for example: + + Some Internet devices (some firewalls and corporate proxies, for example) intercept HTTP 4xx and 5xx and prevent the response from being returned to the viewer. If you substitute ``200``, the response typically won't be intercepted. + + If you don't care about distinguishing among different client errors or server errors, you can specify ``400`` or ``500`` as the ``ResponseCode`` for all 4xx or 5xx errors. + + You might want to return a ``200`` status code (OK) and static website so your customers don't know that your website is down. + + If you specify a value for ``ResponseCode``, you must also specify a value for ``ResponsePagePath``. +- `response_page_path` (String) The path to the custom error page that you want CloudFront to return to a viewer when your origin returns the HTTP status code specified by ``ErrorCode``, for example, ``/4xx-errors/403-forbidden.html``. If you want to store your objects and your custom error pages in different locations, your distribution must include a cache behavior for which the following is true: + + The value of ``PathPattern`` matches the path to your custom error messages. For example, suppose you saved custom error pages for 4xx errors in an Amazon S3 bucket in a directory named ``/4xx-errors``. Your distribution must include a cache behavior for which the path pattern routes requests for your custom error pages to that location, for example, ``/4xx-errors/*``. + + The value of ``TargetOriginId`` specifies the value of the ``ID`` element for the origin that contains your custom error pages. + + If you specify a value for ``ResponsePagePath``, you must also specify a value for ``ResponseCode``. + We recommend @@ -241,12 +369,12 @@ Optional: Required: -- `bucket` (String) +- `bucket` (String) The Amazon S3 bucket to store the access logs in, for example, ``myawslogbucket.s3.amazonaws.com``. Optional: -- `include_cookies` (Boolean) -- `prefix` (String) +- `include_cookies` (Boolean) Specifies whether you want CloudFront to include cookies in access logs, specify ``true`` for ``IncludeCookies``. If you choose to include cookies in logs, CloudFront logs all cookies regardless of how you configure the cache behaviors for this distribution. If you don't want to include cookies when you create a distribution or if you want to disable include cookies for an existing distribution, specify ``false`` for ``IncludeCookies``. +- `prefix` (String) An optional string that you want CloudFront to prefix to the access log ``filenames`` for this distribution, for example, ``myprefix/``. If you want to enable logging, but you don't want to specify a prefix, you still must include an empty ``Prefix`` element in the ``Logging`` element. @@ -254,35 +382,35 @@ Optional: Required: -- `quantity` (Number) +- `quantity` (Number) The number of origin groups. Optional: -- `items` (Attributes List) (see [below for nested schema](#nestedatt--distribution_config--origin_groups--items)) +- `items` (Attributes List) The items (origin groups) in a distribution. (see [below for nested schema](#nestedatt--distribution_config--origin_groups--items)) ### Nested Schema for `distribution_config.origin_groups.items` Required: -- `failover_criteria` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--origin_groups--items--failover_criteria)) -- `id` (String) -- `members` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--origin_groups--items--members)) +- `failover_criteria` (Attributes) A complex type that contains information about the failover criteria for an origin group. (see [below for nested schema](#nestedatt--distribution_config--origin_groups--items--failover_criteria)) +- `id` (String) The origin group's ID. +- `members` (Attributes) A complex type that contains information about the origins in an origin group. (see [below for nested schema](#nestedatt--distribution_config--origin_groups--items--members)) ### Nested Schema for `distribution_config.origin_groups.items.members` Required: -- `status_codes` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--origin_groups--items--members--status_codes)) +- `status_codes` (Attributes) The status codes that, when returned from the primary origin, will trigger CloudFront to failover to the second origin. (see [below for nested schema](#nestedatt--distribution_config--origin_groups--items--members--status_codes)) ### Nested Schema for `distribution_config.origin_groups.items.members.status_codes` Required: -- `items` (List of Number) -- `quantity` (Number) +- `items` (List of Number) The items (status codes) for an origin group. +- `quantity` (Number) The number of status codes. @@ -291,15 +419,15 @@ Required: Required: -- `items` (Attributes List) (see [below for nested schema](#nestedatt--distribution_config--origin_groups--items--members--items)) -- `quantity` (Number) +- `items` (Attributes List) Items (origins) in an origin group. (see [below for nested schema](#nestedatt--distribution_config--origin_groups--items--members--items)) +- `quantity` (Number) The number of origins in an origin group. ### Nested Schema for `distribution_config.origin_groups.items.members.items` Required: -- `origin_id` (String) +- `origin_id` (String) The ID for an origin in an origin group. @@ -310,34 +438,49 @@ Required: Required: -- `domain_name` (String) -- `id` (String) +- `domain_name` (String) The domain name for the origin. + For more information, see [Origin Domain Name](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesDomainName) in the *Amazon CloudFront Developer Guide*. +- `id` (String) A unique identifier for the origin. This value must be unique within the distribution. + Use this value to specify the ``TargetOriginId`` in a ``CacheBehavior`` or ``DefaultCacheBehavior``. Optional: -- `connection_attempts` (Number) -- `connection_timeout` (Number) -- `custom_origin_config` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--origins--custom_origin_config)) -- `origin_access_control_id` (String) -- `origin_custom_headers` (Attributes List) (see [below for nested schema](#nestedatt--distribution_config--origins--origin_custom_headers)) -- `origin_path` (String) -- `origin_shield` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--origins--origin_shield)) -- `s3_origin_config` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--origins--s3_origin_config)) +- `connection_attempts` (Number) The number of times that CloudFront attempts to connect to the origin. The minimum number is 1, the maximum is 3, and the default (if you don't specify otherwise) is 3. + For a custom origin (including an Amazon S3 bucket that's configured with static website hosting), this value also specifies the number of times that CloudFront attempts to get a response from the origin, in the case of an [Origin Response Timeout](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginResponseTimeout). + For more information, see [Origin Connection Attempts](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#origin-connection-attempts) in the *Amazon CloudFront Developer Guide*. +- `connection_timeout` (Number) The number of seconds that CloudFront waits when trying to establish a connection to the origin. The minimum timeout is 1 second, the maximum is 10 seconds, and the default (if you don't specify otherwise) is 10 seconds. + For more information, see [Origin Connection Timeout](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#origin-connection-timeout) in the *Amazon CloudFront Developer Guide*. +- `custom_origin_config` (Attributes) Use this type to specify an origin that is not an Amazon S3 bucket, with one exception. If the Amazon S3 bucket is configured with static website hosting, use this type. If the Amazon S3 bucket is not configured with static website hosting, use the ``S3OriginConfig`` type instead. (see [below for nested schema](#nestedatt--distribution_config--origins--custom_origin_config)) +- `origin_access_control_id` (String) The unique identifier of an origin access control for this origin. + For more information, see [Restricting access to an Amazon S3 origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the *Amazon CloudFront Developer Guide*. +- `origin_custom_headers` (Attributes List) A list of HTTP header names and values that CloudFront adds to the requests that it sends to the origin. + For more information, see [Adding Custom Headers to Origin Requests](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.html) in the *Amazon CloudFront Developer Guide*. (see [below for nested schema](#nestedatt--distribution_config--origins--origin_custom_headers)) +- `origin_path` (String) An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. + For more information, see [Origin Path](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginPath) in the *Amazon CloudFront Developer Guide*. +- `origin_shield` (Attributes) CloudFront Origin Shield. Using Origin Shield can help reduce the load on your origin. + For more information, see [Using Origin Shield](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html) in the *Amazon CloudFront Developer Guide*. (see [below for nested schema](#nestedatt--distribution_config--origins--origin_shield)) +- `s3_origin_config` (Attributes) Use this type to specify an origin that is an Amazon S3 bucket that is not configured with static website hosting. To specify any other type of origin, including an Amazon S3 bucket that is configured with static website hosting, use the ``CustomOriginConfig`` type instead. (see [below for nested schema](#nestedatt--distribution_config--origins--s3_origin_config)) ### Nested Schema for `distribution_config.origins.custom_origin_config` Required: -- `origin_protocol_policy` (String) +- `origin_protocol_policy` (String) Specifies the protocol (HTTP or HTTPS) that CloudFront uses to connect to the origin. Valid values are: + + ``http-only`` ? CloudFront always uses HTTP to connect to the origin. + + ``match-viewer`` ? CloudFront connects to the origin using the same protocol that the viewer used to connect to CloudFront. + + ``https-only`` ? CloudFront always uses HTTPS to connect to the origin. Optional: -- `http_port` (Number) -- `https_port` (Number) -- `origin_keepalive_timeout` (Number) -- `origin_read_timeout` (Number) -- `origin_ssl_protocols` (List of String) +- `http_port` (Number) The HTTP port that CloudFront uses to connect to the origin. Specify the HTTP port that the origin listens on. +- `https_port` (Number) The HTTPS port that CloudFront uses to connect to the origin. Specify the HTTPS port that the origin listens on. +- `origin_keepalive_timeout` (Number) Specifies how long, in seconds, CloudFront persists its connection to the origin. The minimum timeout is 1 second, the maximum is 60 seconds, and the default (if you don't specify otherwise) is 5 seconds. + For more information, see [Origin Keep-alive Timeout](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginKeepaliveTimeout) in the *Amazon CloudFront Developer Guide*. +- `origin_read_timeout` (Number) Specifies how long, in seconds, CloudFront waits for a response from the origin. This is also known as the *origin response timeout*. The minimum timeout is 1 second, the maximum is 60 seconds, and the default (if you don't specify otherwise) is 30 seconds. + For more information, see [Origin Response Timeout](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginResponseTimeout) in the *Amazon CloudFront Developer Guide*. +- `origin_ssl_protocols` (List of String) Specifies the minimum SSL/TLS protocol that CloudFront uses when connecting to your origin over HTTPS. Valid values include ``SSLv3``, ``TLSv1``, ``TLSv1.1``, and ``TLSv1.2``. + For more information, see [Minimum Origin SSL Protocol](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols) in the *Amazon CloudFront Developer Guide*. @@ -345,8 +488,8 @@ Optional: Required: -- `header_name` (String) -- `header_value` (String) +- `header_name` (String) The name of a header that you want CloudFront to send to your origin. For more information, see [Adding Custom Headers to Origin Requests](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/forward-custom-headers.html) in the *Amazon CloudFront Developer Guide*. +- `header_value` (String) The value for the header that you specified in the ``HeaderName`` field. @@ -354,8 +497,11 @@ Required: Optional: -- `enabled` (Boolean) -- `origin_shield_region` (String) +- `enabled` (Boolean) A flag that specifies whether Origin Shield is enabled. + When it's enabled, CloudFront routes all requests through Origin Shield, which can help protect your origin. When it's disabled, CloudFront might send requests directly to your origin from multiple edge locations or regional edge caches. +- `origin_shield_region` (String) The AWS-Region for Origin Shield. + Specify the AWS-Region that has the lowest latency to your origin. To specify a region, use the region code, not the region name. For example, specify the US East (Ohio) region as ``us-east-2``. + When you enable CloudFront Origin Shield, you must specify the AWS-Region for Origin Shield. For the list of AWS-Regions that you can specify, and for help choosing the best Region for your origin, see [Choosing the for Origin Shield](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html#choose-origin-shield-region) in the *Amazon CloudFront Developer Guide*. @@ -363,7 +509,13 @@ Optional: Optional: -- `origin_access_identity` (String) +- `origin_access_identity` (String) The CloudFront origin access identity to associate with the origin. Use an origin access identity to configure the origin so that viewers can *only* access objects in an Amazon S3 bucket through CloudFront. The format of the value is: + origin-access-identity/cloudfront/*ID-of-origin-access-identity* + where ``ID-of-origin-access-identity`` is the value that CloudFront returned in the ``ID`` element when you created the origin access identity. + If you want viewers to be able to access objects using either the CloudFront URL or the Amazon S3 URL, specify an empty ``OriginAccessIdentity`` element. + To delete the origin access identity from an existing distribution, update the distribution configuration and include an empty ``OriginAccessIdentity`` element. + To replace the origin access identity, update the distribution configuration and specify the new origin access identity. + For more information about the origin access identity, see [Serving Private Content through CloudFront](https://d @@ -372,18 +524,23 @@ Optional: Required: -- `geo_restriction` (Attributes) (see [below for nested schema](#nestedatt--distribution_config--restrictions--geo_restriction)) +- `geo_restriction` (Attributes) A complex type that controls the countries in which your content is distributed. CF determines the location of your users using ``MaxMind`` GeoIP databases. To disable geo restriction, remove the [Restrictions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-restrictions) property from your stack template. (see [below for nested schema](#nestedatt--distribution_config--restrictions--geo_restriction)) ### Nested Schema for `distribution_config.restrictions.geo_restriction` Required: -- `restriction_type` (String) +- `restriction_type` (String) The method that you want to use to restrict distribution of your content by country: + + ``none``: No geo restriction is enabled, meaning access to content is not restricted by client geo location. + + ``blacklist``: The ``Location`` elements specify the countries in which you don't want CloudFront to distribute your content. + + ``whitelist``: The ``Location`` elements specify the countries in which you want CloudFront to distribute your content. Optional: -- `locations` (List of String) +- `locations` (List of String) A complex type that contains a ``Location`` element for each country in which you want CloudFront either to distribute your content (``whitelist``) or not distribute your content (``blacklist``). + The ``Location`` element is a two-letter, uppercase country code for a country that you want to include in your ``blacklist`` or ``whitelist``. Include one ``Location`` element for each country. + CloudFront and ``MaxMind`` both use ``ISO 3166`` country codes. For the current list of countries and the corresponding codes, see ``ISO 3166-1-alpha-2`` code on the *International Organization for Standardization* website. You can also refer to the country list on the CloudFront console, which includes both country names and codes. @@ -404,11 +561,29 @@ Optional: Optional: -- `acm_certificate_arn` (String) -- `cloudfront_default_certificate` (Boolean) -- `iam_certificate_id` (String) -- `minimum_protocol_version` (String) -- `ssl_support_method` (String) +- `acm_certificate_arn` (String) In CloudFormation, this field name is ``AcmCertificateArn``. Note the different capitalization. + If the distribution uses ``Aliases`` (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in [(ACM)](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html), provide the Amazon Resource Name (ARN) of the ACM certificate. CloudFront only supports ACM certificates in the US East (N. Virginia) Region (``us-east-1``). + If you specify an ACM certificate ARN, you must also specify values for ``MinimumProtocolVersion`` and ``SSLSupportMethod``. (In CloudFormation, the field name is ``SslSupportMethod``. Note the different capitalization.) +- `cloudfront_default_certificate` (Boolean) If the distribution uses the CloudFront domain name such as ``d111111abcdef8.cloudfront.net``, set this field to ``true``. + If the distribution uses ``Aliases`` (alternate domain names or CNAMEs), omit this field and specify values for the following fields: + + ``AcmCertificateArn`` or ``IamCertificateId`` (specify a value for one, not both) + + ``MinimumProtocolVersion`` + + ``SslSupportMethod`` +- `iam_certificate_id` (String) In CloudFormation, this field name is ``IamCertificateId``. Note the different capitalization. + If the distribution uses ``Aliases`` (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in [(IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html), provide the ID of the IAM certificate. + If you specify an IAM certificate ID, you must also specify values for ``MinimumProtocolVersion`` and ``SSLSupportMethod``. (In CloudFormation, the field name is ``SslSupportMethod``. Note the different capitalization.) +- `minimum_protocol_version` (String) If the distribution uses ``Aliases`` (alternate domain names or CNAMEs), specify the security policy that you want CloudFront to use for HTTPS connections with viewers. The security policy determines two settings: + + The minimum SSL/TLS protocol that CloudFront can use to communicate with viewers. + + The ciphers that CloudFront can use to encrypt the content that it returns to viewers. + + For more information, see [Security Policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy) and [Supported Protocols and Ciphers Between Viewers and CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers) in the *Amazon CloudFront Developer Guide*. + On the CloudFront console, this setting is called *Security Policy*. + When you're using SNI only (you set ``SSLSupportMethod`` to ``sni-onl +- `ssl_support_method` (String) In CloudFormation, this field name is ``SslSupportMethod``. Note the different capitalization. + If the distribution uses ``Aliases`` (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from. + + ``sni-only`` ? The distribution accepts HTTPS connections from only viewers that support [server name indication (SNI)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Server_Name_Indication). This is recommended. Most browsers and clients support SNI. + + ``vip`` ? The distribution accepts HTTPS connections from all viewers including those that don't support SNI. This is not recommended, and results in additional monthly charges from CloudFront. + + ``static-ip`` - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the [Center](https://docs.aws.amazon.com/support/home). @@ -417,8 +592,10 @@ Optional: Required: -- `key` (String) -- `value` (String) +- `key` (String) A string that contains ``Tag`` key. + The string length should be between 1 and 128 characters. Valid characters include ``a-z``, ``A-Z``, ``0-9``, space, and the special characters ``_ - . : / = + @``. +- `value` (String) A string that contains an optional ``Tag`` value. + The string length should be between 0 and 256 characters. Valid characters include ``a-z``, ``A-Z``, ``0-9``, space, and the special characters ``_ - . : / = + @``. ## Import diff --git a/docs/resources/cognito_user_pool_risk_configuration_attachment.md b/docs/resources/cognito_user_pool_risk_configuration_attachment.md new file mode 100644 index 0000000000..e810442838 --- /dev/null +++ b/docs/resources/cognito_user_pool_risk_configuration_attachment.md @@ -0,0 +1,171 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "awscc_cognito_user_pool_risk_configuration_attachment Resource - terraform-provider-awscc" +subcategory: "" +description: |- + Resource Type definition for AWS::Cognito::UserPoolRiskConfigurationAttachment +--- + +# awscc_cognito_user_pool_risk_configuration_attachment (Resource) + +Resource Type definition for AWS::Cognito::UserPoolRiskConfigurationAttachment + + + + +## Schema + +### Required + +- `client_id` (String) +- `user_pool_id` (String) + +### Optional + +- `account_takeover_risk_configuration` (Attributes) (see [below for nested schema](#nestedatt--account_takeover_risk_configuration)) +- `compromised_credentials_risk_configuration` (Attributes) (see [below for nested schema](#nestedatt--compromised_credentials_risk_configuration)) +- `risk_exception_configuration` (Attributes) (see [below for nested schema](#nestedatt--risk_exception_configuration)) + +### Read-Only + +- `id` (String) Uniquely identifies the resource. + + +### Nested Schema for `account_takeover_risk_configuration` + +Required: + +- `actions` (Attributes) (see [below for nested schema](#nestedatt--account_takeover_risk_configuration--actions)) + +Optional: + +- `notify_configuration` (Attributes) (see [below for nested schema](#nestedatt--account_takeover_risk_configuration--notify_configuration)) + + +### Nested Schema for `account_takeover_risk_configuration.actions` + +Optional: + +- `high_action` (Attributes) (see [below for nested schema](#nestedatt--account_takeover_risk_configuration--actions--high_action)) +- `low_action` (Attributes) (see [below for nested schema](#nestedatt--account_takeover_risk_configuration--actions--low_action)) +- `medium_action` (Attributes) (see [below for nested schema](#nestedatt--account_takeover_risk_configuration--actions--medium_action)) + + +### Nested Schema for `account_takeover_risk_configuration.actions.high_action` + +Required: + +- `event_action` (String) +- `notify` (Boolean) + + + +### Nested Schema for `account_takeover_risk_configuration.actions.low_action` + +Required: + +- `event_action` (String) +- `notify` (Boolean) + + + +### Nested Schema for `account_takeover_risk_configuration.actions.medium_action` + +Required: + +- `event_action` (String) +- `notify` (Boolean) + + + + +### Nested Schema for `account_takeover_risk_configuration.notify_configuration` + +Required: + +- `source_arn` (String) + +Optional: + +- `block_email` (Attributes) (see [below for nested schema](#nestedatt--account_takeover_risk_configuration--notify_configuration--block_email)) +- `from` (String) +- `mfa_email` (Attributes) (see [below for nested schema](#nestedatt--account_takeover_risk_configuration--notify_configuration--mfa_email)) +- `no_action_email` (Attributes) (see [below for nested schema](#nestedatt--account_takeover_risk_configuration--notify_configuration--no_action_email)) +- `reply_to` (String) + + +### Nested Schema for `account_takeover_risk_configuration.notify_configuration.block_email` + +Required: + +- `subject` (String) + +Optional: + +- `html_body` (String) +- `text_body` (String) + + + +### Nested Schema for `account_takeover_risk_configuration.notify_configuration.mfa_email` + +Required: + +- `subject` (String) + +Optional: + +- `html_body` (String) +- `text_body` (String) + + + +### Nested Schema for `account_takeover_risk_configuration.notify_configuration.no_action_email` + +Required: + +- `subject` (String) + +Optional: + +- `html_body` (String) +- `text_body` (String) + + + + + +### Nested Schema for `compromised_credentials_risk_configuration` + +Required: + +- `actions` (Attributes) (see [below for nested schema](#nestedatt--compromised_credentials_risk_configuration--actions)) + +Optional: + +- `event_filter` (List of String) + + +### Nested Schema for `compromised_credentials_risk_configuration.actions` + +Required: + +- `event_action` (String) + + + + +### Nested Schema for `risk_exception_configuration` + +Optional: + +- `blocked_ip_range_list` (List of String) +- `skipped_ip_range_list` (List of String) + +## Import + +Import is supported using the following syntax: + +```shell +$ terraform import awscc_cognito_user_pool_risk_configuration_attachment.exampleRepresents an entry point into AWS Elemental MediaPackage for an ABR video content stream sent from an upstream encoder such as AWS Elemental MediaLive. The channel continuously analyzes the content that it receives and prepares it to be distributed to consumers via one or more origin endpoints.
--- # awscc_mediapackagev2_channel (Resource) -Definition of AWS::MediaPackageV2::Channel Resource Type +Represents an entry point into AWS Elemental MediaPackage for an ABR video content stream sent from an upstream encoder such as AWS Elemental MediaLive. The channel continuously analyzes the content that it receives and prepares it to be distributed to consumers via one or more origin endpoints.
## Schema -### Optional +### Required - `channel_group_name` (String) - `channel_name` (String) -- `description` (String) + +### Optional + +- `description` (String)Enter any descriptive text that helps you to identify the channel.
- `tags` (Attributes List) (see [below for nested schema](#nestedatt--tags)) ### Read-Only -- `arn` (String) -- `created_at` (String) +- `arn` (String)The Amazon Resource Name (ARN) associated with the resource.
+- `created_at` (String)The date and time the channel was created.
- `id` (String) Uniquely identifies the resource. -- `ingest_endpoints` (Attributes List) (see [below for nested schema](#nestedatt--ingest_endpoints)) -- `modified_at` (String) +- `ingest_endpoints` (Attributes List)The list of ingest endpoints.
(see [below for nested schema](#nestedatt--ingest_endpoints)) +- `modified_at` (String)The date and time the channel was modified.
### Nested Schema for `tags` @@ -44,8 +47,8 @@ Optional: Read-Only: -- `id` (String) -- `url` (String) +- `id` (String)The system-generated unique identifier for the IngestEndpoint.
+- `url` (String)The ingest domain URL where the source stream should be sent.
## Import diff --git a/docs/resources/mediapackagev2_channel_group.md b/docs/resources/mediapackagev2_channel_group.md index a618771871..4634661a24 100644 --- a/docs/resources/mediapackagev2_channel_group.md +++ b/docs/resources/mediapackagev2_channel_group.md @@ -3,31 +3,34 @@ page_title: "awscc_mediapackagev2_channel_group Resource - terraform-provider-awscc" subcategory: "" description: |- - Definition of AWS::MediaPackageV2::ChannelGroup Resource Type +Represents a channel group that facilitates the grouping of multiple channels.
--- # awscc_mediapackagev2_channel_group (Resource) -Definition of AWS::MediaPackageV2::ChannelGroup Resource Type +Represents a channel group that facilitates the grouping of multiple channels.
## Schema -### Optional +### Required - `channel_group_name` (String) -- `description` (String) + +### Optional + +- `description` (String)Enter any descriptive text that helps you to identify the channel group.
- `tags` (Attributes List) (see [below for nested schema](#nestedatt--tags)) ### Read-Only -- `arn` (String) -- `created_at` (String) -- `egress_domain` (String) +- `arn` (String)The Amazon Resource Name (ARN) associated with the resource.
+- `created_at` (String)The date and time the channel group was created.
+- `egress_domain` (String)The output domain where the source stream should be sent. Integrate the domain with a downstream CDN (such as Amazon CloudFront) or playback device.
- `id` (String) Uniquely identifies the resource. -- `modified_at` (String) +- `modified_at` (String)The date and time the channel group was modified.
### Nested Schema for `tags` diff --git a/docs/resources/mediapackagev2_channel_policy.md b/docs/resources/mediapackagev2_channel_policy.md index bc6b552585..1ed863394e 100644 --- a/docs/resources/mediapackagev2_channel_policy.md +++ b/docs/resources/mediapackagev2_channel_policy.md @@ -3,12 +3,12 @@ page_title: "awscc_mediapackagev2_channel_policy Resource - terraform-provider-awscc" subcategory: "" description: |- - Definition of AWS::MediaPackageV2::ChannelPolicy Resource Type +Represents a resource-based policy that allows or denies access to a channel.
--- # awscc_mediapackagev2_channel_policy (Resource) -Definition of AWS::MediaPackageV2::ChannelPolicy Resource Type +Represents a resource-based policy that allows or denies access to a channel.
@@ -17,12 +17,9 @@ Definition of AWS::MediaPackageV2::ChannelPolicy Resource Type ### Required -- `policy` (String) - -### Optional - - `channel_group_name` (String) - `channel_name` (String) +- `policy` (String) ### Read-Only diff --git a/docs/resources/mediapackagev2_origin_endpoint.md b/docs/resources/mediapackagev2_origin_endpoint.md index 6866348572..cf0fc8b3ef 100644 --- a/docs/resources/mediapackagev2_origin_endpoint.md +++ b/docs/resources/mediapackagev2_origin_endpoint.md @@ -17,16 +17,16 @@ description: |- ### Required -- `container_type` (String) +- `channel_group_name` (String) +- `channel_name` (String) +- `origin_endpoint_name` (String) ### Optional -- `channel_group_name` (String) -- `channel_name` (String) +- `container_type` (String) - `description` (String)Enter any descriptive text that helps you to identify the origin endpoint.
- `hls_manifests` (Attributes List)An HTTP live streaming (HLS) manifest configuration.
(see [below for nested schema](#nestedatt--hls_manifests)) - `low_latency_hls_manifests` (Attributes List)A low-latency HLS manifest configuration.
(see [below for nested schema](#nestedatt--low_latency_hls_manifests)) -- `origin_endpoint_name` (String) - `segment` (Attributes)The segment configuration, including the segment name, duration, and other configuration values.
(see [below for nested schema](#nestedatt--segment)) - `startover_window_seconds` (Number)The size of the window (in seconds) to create a window of the live stream that's available for on-demand viewing. Viewers can start-over or catch-up on content that falls within the window. The maximum startover window is 1,209,600 seconds (14 days).
- `tags` (Attributes List) (see [below for nested schema](#nestedatt--tags)) diff --git a/docs/resources/mediapackagev2_origin_endpoint_policy.md b/docs/resources/mediapackagev2_origin_endpoint_policy.md index b21efca0d6..7426b726be 100644 --- a/docs/resources/mediapackagev2_origin_endpoint_policy.md +++ b/docs/resources/mediapackagev2_origin_endpoint_policy.md @@ -3,12 +3,12 @@ page_title: "awscc_mediapackagev2_origin_endpoint_policy Resource - terraform-provider-awscc" subcategory: "" description: |- - Definition of AWS::MediaPackageV2::OriginEndpointPolicy Resource Type +Represents a resource policy that allows or denies access to an origin endpoint.
--- # awscc_mediapackagev2_origin_endpoint_policy (Resource) -Definition of AWS::MediaPackageV2::OriginEndpointPolicy Resource Type +Represents a resource policy that allows or denies access to an origin endpoint.
@@ -17,13 +17,10 @@ Definition of AWS::MediaPackageV2::OriginEndpointPolicy Resource Type ### Required -- `policy` (String) - -### Optional - - `channel_group_name` (String) - `channel_name` (String) - `origin_endpoint_name` (String) +- `policy` (String) ### Read-Only diff --git a/docs/resources/rds_db_instance.md b/docs/resources/rds_db_instance.md index 15da86c000..adf88c1f6a 100644 --- a/docs/resources/rds_db_instance.md +++ b/docs/resources/rds_db_instance.md @@ -2,12 +2,20 @@ page_title: "awscc_rds_db_instance Resource - terraform-provider-awscc" subcategory: "" description: |- - The AWS::RDS::DBInstance resource creates an Amazon RDS DB instance. + The AWS::RDS::DBInstance resource creates an Amazon DB instance. The new DB instance can be an RDS DB instance, or it can be a DB instance in an Aurora DB cluster. + For more information about creating an RDS DB instance, see Creating an Amazon RDS DB instance https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html in the Amazon RDS User Guide. + For more information about creating a DB instance in an Aurora DB cluster, see Creating an Amazon Aurora DB cluster https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.CreateInstance.html in the Amazon Aurora User Guide. + If you import an existing DB instance, and the template configuration doesn't match the actual configuration of the DB instance, AWS CloudFormation applies the changes in the template during the import operation. + If a DB instance is deleted or replaced during an update, AWS CloudFormation deletes all automated snapshots. However, it retains manual DB snapshots. During an --- # awscc_rds_db_instance (Resource) -The AWS::RDS::DBInstance resource creates an Amazon RDS DB instance. +The ``AWS::RDS::DBInstance`` resource creates an Amazon DB instance. The new DB instance can be an RDS DB instance, or it can be a DB instance in an Aurora DB cluster. + For more information about creating an RDS DB instance, see [Creating an Amazon RDS DB instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html) in the *Amazon RDS User Guide*. + For more information about creating a DB instance in an Aurora DB cluster, see [Creating an Amazon Aurora DB cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.CreateInstance.html) in the *Amazon Aurora User Guide*. + If you import an existing DB instance, and the template configuration doesn't match the actual configuration of the DB instance, AWS CloudFormation applies the changes in the template during the import operation. + If a DB instance is deleted or replaced during an update, AWS CloudFormation deletes all automated snapshots. However, it retains manual DB snapshots. During an ## Example Usage @@ -111,105 +119,412 @@ resource "awscc_rds_db_instance" "this" { ### Optional -- `allocated_storage` (String) The amount of storage (in gigabytes) to be initially allocated for the database instance. +- `allocated_storage` (String) The amount of storage in gibibytes (GiB) to be initially allocated for the database instance. + If any value is set in the ``Iops`` parameter, ``AllocatedStorage`` must be at least 100 GiB, which corresponds to the minimum Iops value of 1,000. If you increase the ``Iops`` value (in 1,000 IOPS increments), then you must also increase the ``AllocatedStorage`` value (in 100-GiB increments). + *Amazon Aurora* + Not applicable. Aurora cluster volumes automatically grow as the amount of data in your database increases, though you are only charged for the space that you use in an Aurora cluster volume. + *Db2* + Constraints to the amount of storage for each storage type are the following: + + General Purpose (SSD) storage (gp3): Must be an integer from 20 to 64000. + + Provisioned IOPS storage (io1): Must be an integer from 100 to 64000. + + *MySQL* + Constraints to the amount of storage for each storage type are the following: + + General Purpose (SSD) storage (gp2): Must be an integer fro - `allow_major_version_upgrade` (Boolean) A value that indicates whether major version upgrades are allowed. Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible. -- `associated_roles` (Attributes List) The AWS Identity and Access Management (IAM) roles associated with the DB instance. (see [below for nested schema](#nestedatt--associated_roles)) + Constraints: Major version upgrades must be allowed when specifying a value for the ``EngineVersion`` parameter that is a different major version than the DB instance's current version. +- `associated_roles` (Attributes List) The IAMlong (IAM) roles associated with the DB instance. + *Amazon Aurora* + Not applicable. The associated roles are managed by the DB cluster. (see [below for nested schema](#nestedatt--associated_roles)) - `auto_minor_version_upgrade` (Boolean) A value that indicates whether minor engine upgrades are applied automatically to the DB instance during the maintenance window. By default, minor engine upgrades are applied automatically. -- `automatic_backup_replication_region` (String) Enables replication of automated backups to a different Amazon Web Services Region. -- `availability_zone` (String) The Availability Zone (AZ) where the database will be created. For information on AWS Regions and Availability Zones. +- `automatic_backup_replication_region` (String) The destination region for the backup replication of the DB instance. For more info, see [Replicating automated backups to another Region](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReplicateBackups.html) in the *Amazon RDS User Guide*. +- `availability_zone` (String) The Availability Zone (AZ) where the database will be created. For information on AWS-Regions and Availability Zones, see [Regions and Availability Zones](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html). + For Amazon Aurora, each Aurora DB cluster hosts copies of its storage in three separate Availability Zones. Specify one of these Availability Zones. Aurora automatically chooses an appropriate Availability Zone if you don't specify one. + Default: A random, system-chosen Availability Zone in the endpoint's AWS-Region. + Constraints: + + The ``AvailabilityZone`` parameter can't be specified if the DB instance is a Multi-AZ deployment. + + The specified Availability Zone must be in the same AWS-Region as the current endpoint. + + Example: ``us-east-1d`` - `backup_retention_period` (Number) The number of days for which automated backups are retained. Setting this parameter to a positive number enables backups. Setting this parameter to 0 disables automated backups. + *Amazon Aurora* + Not applicable. The retention period for automated backups is managed by the DB cluster. + Default: 1 + Constraints: + + Must be a value from 0 to 35 + + Can't be set to 0 if the DB instance is a source to read replicas - `ca_certificate_identifier` (String) The identifier of the CA certificate for this DB instance. -- `certificate_details` (Attributes) Returns the details of the DB instance's server certificate. (see [below for nested schema](#nestedatt--certificate_details)) -- `certificate_rotation_restart` (Boolean) A value that indicates whether the DB instance is restarted when you rotate your SSL/TLS certificate. -By default, the DB instance is restarted when you rotate your SSL/TLS certificate. The certificate is not updated until the DB instance is restarted. -If you are using SSL/TLS to connect to the DB instance, follow the appropriate instructions for your DB engine to rotate your SSL/TLS certificate -This setting doesn't apply to RDS Custom. + Specifying or updating this property triggers a reboot. For more information about CA certificate identifiers for RDS DB engines, see [Rotating Your SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon RDS User Guide*. For more information about CA certificate identifiers for Aurora DB engines, see [Rotating Your SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon Aurora User Guide*. +- `certificate_details` (Attributes) The details of the DB instance's server certificate. (see [below for nested schema](#nestedatt--certificate_details)) +- `certificate_rotation_restart` (Boolean) Specifies whether the DB instance is restarted when you rotate your SSL/TLS certificate. + By default, the DB instance is restarted when you rotate your SSL/TLS certificate. The certificate is not updated until the DB instance is restarted. + Set this parameter only if you are *not* using SSL/TLS to connect to the DB instance. + If you are using SSL/TLS to connect to the DB instance, follow the appropriate instructions for your DB engine to rotate your SSL/TLS certificate: + + For more information about rotating your SSL/TLS certificate for RDS DB engines, see [Rotating Your SSL/TLS Certificate.](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon RDS User Guide.* + + For more information about rotating your SSL/TLS certificate for Aurora DB engines, see [Rotating Your SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon Aurora User Gui - `character_set_name` (String) For supported engines, indicates that the DB instance should be associated with the specified character set. -- `copy_tags_to_snapshot` (Boolean) A value that indicates whether to copy tags from the DB instance to snapshots of the DB instance. By default, tags are not copied. -- `custom_iam_instance_profile` (String) The instance profile associated with the underlying Amazon EC2 instance of an RDS Custom DB instance. The instance profile must meet the following requirements: - * The profile must exist in your account. - * The profile must have an IAM role that Amazon EC2 has permissions to assume. - * The instance profile name and the associated IAM role name must start with the prefix AWSRDSCustom . -For the list of permissions required for the IAM role, see Configure IAM and your VPC in the Amazon RDS User Guide . - -This setting is required for RDS Custom. + *Amazon Aurora* + Not applicable. The character set is managed by the DB cluster. For more information, see [AWS::RDS::DBCluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html). +- `copy_tags_to_snapshot` (Boolean) Specifies whether to copy tags from the DB instance to snapshots of the DB instance. By default, tags are not copied. + This setting doesn't apply to Amazon Aurora DB instances. Copying tags to snapshots is managed by the DB cluster. Setting this value for an Aurora DB instance has no effect on the DB cluster setting. +- `custom_iam_instance_profile` (String) The instance profile associated with the underlying Amazon EC2 instance of an RDS Custom DB instance. + This setting is required for RDS Custom. + Constraints: + + The profile must exist in your account. + + The profile must have an IAM role that Amazon EC2 has permissions to assume. + + The instance profile name and the associated IAM role name must start with the prefix ``AWSRDSCustom``. + + For the list of permissions required for the IAM role, see [Configure IAM and your VPC](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-setup-orcl.html#custom-setup-orcl.iam-vpc) in the *Amazon RDS User Guide*. - `db_cluster_identifier` (String) The identifier of the DB cluster that the instance will belong to. -- `db_cluster_snapshot_identifier` (String) The identifier for the RDS for MySQL Multi-AZ DB cluster snapshot to restore from. For more information on Multi-AZ DB clusters, see Multi-AZ deployments with two readable standby DB instances in the Amazon RDS User Guide . - -Constraints: - * Must match the identifier of an existing Multi-AZ DB cluster snapshot. - * Can't be specified when DBSnapshotIdentifier is specified. - * Must be specified when DBSnapshotIdentifier isn't specified. - * If you are restoring from a shared manual Multi-AZ DB cluster snapshot, the DBClusterSnapshotIdentifier must be the ARN of the shared snapshot. - * Can't be the identifier of an Aurora DB cluster snapshot. - * Can't be the identifier of an RDS for PostgreSQL Multi-AZ DB cluster snapshot. -- `db_instance_class` (String) The compute and memory capacity of the DB instance, for example, db.m4.large. Not all DB instance classes are available in all AWS Regions, or for all database engines. -- `db_instance_identifier` (String) A name for the DB instance. If you specify a name, AWS CloudFormation converts it to lowercase. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the DB instance. +- `db_cluster_snapshot_identifier` (String) The identifier for the Multi-AZ DB cluster snapshot to restore from. + For more information on Multi-AZ DB clusters, see [Multi-AZ DB cluster deployments](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/multi-az-db-clusters-concepts.html) in the *Amazon RDS User Guide*. + Constraints: + + Must match the identifier of an existing Multi-AZ DB cluster snapshot. + + Can't be specified when ``DBSnapshotIdentifier`` is specified. + + Must be specified when ``DBSnapshotIdentifier`` isn't specified. + + If you are restoring from a shared manual Multi-AZ DB cluster snapshot, the ``DBClusterSnapshotIdentifier`` must be the ARN of the shared snapshot. + + Can't be the identifier of an Aurora DB cluster snapshot. +- `db_instance_class` (String) The compute and memory capacity of the DB instance, for example, ``db.m4.large``. Not all DB instance classes are available in all AWS Regions, or for all database engines. + For the full list of DB instance classes, and availability for your engine, see [DB Instance Class](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html) in the *Amazon RDS User Guide.* For more information about DB instance class pricing and AWS Region support for DB instance classes, see [Amazon RDS Pricing](https://docs.aws.amazon.com/rds/pricing/). +- `db_instance_identifier` (String) A name for the DB instance. If you specify a name, AWS CloudFormation converts it to lowercase. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the DB instance. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html). + For information about constraints that apply to DB instance identifiers, see [Naming constraints in Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html#RDS_Limits.Constraints) in the *Amazon RDS User Guide*. + If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. - `db_name` (String) The meaning of this parameter differs according to the database engine you use. -- `db_parameter_group_name` (String) The name of an existing DB parameter group or a reference to an AWS::RDS::DBParameterGroup resource created in the template. + If you specify the ``DBSnapshotIdentifier`` property, this property only applies to RDS for Oracle. + *Amazon Aurora* + Not applicable. The database name is managed by the DB cluster. + *Db2* + The name of the database to create when the DB instance is created. If this parameter isn't specified, no database is created in the DB instance. + Constraints: + + Must contain 1 to 64 letters or numbers. + + Must begin with a letter. Subsequent characters can be letters, underscores, or digits (0-9). + + Can't be a word reserved by the specified database engine. + + *MySQL* + The name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance. + Constraints: + + Must contain 1 to 64 letters or numbers. + + Can't be a word reserved by the specified database engine + + *MariaDB* + The name of the database to create when the DB instance is +- `db_parameter_group_name` (String) The name of an existing DB parameter group or a reference to an [AWS::RDS::DBParameterGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbparametergroup.html) resource created in the template. + To list all of the available DB parameter group names, use the following command: + ``aws rds describe-db-parameter-groups --query "DBParameterGroups[].DBParameterGroupName" --output text`` + If any of the data members of the referenced parameter group are changed during an update, the DB instance might need to be restarted, which causes some interruption. If the parameter group contains static parameters, whether they were changed or not, an update triggers a reboot. + If you don't specify a value for ``DBParameterGroupName`` property, the default DB parameter group for the specified engine and engine version is used. - `db_security_groups` (List of String) A list of the DB security groups to assign to the DB instance. The list can include both the name of existing DB security groups or references to AWS::RDS::DBSecurityGroup resources created in the template. + If you set DBSecurityGroups, you must not set VPCSecurityGroups, and vice versa. Also, note that the DBSecurityGroups property exists only for backwards compatibility with older regions and is no longer recommended for providing security information to an RDS DB instance. Instead, use VPCSecurityGroups. + If you specify this property, AWS CloudFormation sends only the following properties (if specified) to Amazon RDS during create operations: + + ``AllocatedStorage`` + + ``AutoMinorVersionUpgrade`` + + ``AvailabilityZone`` + + ``BackupRetentionPeriod`` + + ``CharacterSetName`` + + ``DBInstanceClass`` + + ``DBName`` + + ``DBParameterGroupName`` + + ``DBSecurityGroups`` + + ``DBSubnetGroupName`` + + ``Engine`` + + ``EngineVersion`` + + ``Iops`` + + ``LicenseModel`` + + - `db_snapshot_identifier` (String) The name or Amazon Resource Name (ARN) of the DB snapshot that's used to restore the DB instance. If you're restoring from a shared manual DB snapshot, you must specify the ARN of the snapshot. -- `db_subnet_group_name` (String) A DB subnet group to associate with the DB instance. If you update this value, the new subnet group must be a subnet group in a new VPC. + By specifying this property, you can create a DB instance from the specified DB snapshot. If the ``DBSnapshotIdentifier`` property is an empty string or the ``AWS::RDS::DBInstance`` declaration has no ``DBSnapshotIdentifier`` property, AWS CloudFormation creates a new database. If the property contains a value (other than an empty string), AWS CloudFormation creates a database from the specified snapshot. If a snapshot with the specified name doesn't exist, AWS CloudFormation can't create the database and it rolls back the stack. + Some DB instance properties aren't valid when you restore from a snapshot, such as the ``MasterUsername`` and ``MasterUserPassword`` properties. For information about the properties that you can specify, see the ``RestoreDBInstanceFromDBSnapshot`` action in the *Amazo +- `db_subnet_group_name` (String) A DB subnet group to associate with the DB instance. If you update this value, the new subnet group must be a subnet group in a new VPC. + If there's no DB subnet group, then the DB instance isn't a VPC DB instance. + For more information about using Amazon RDS in a VPC, see [Using Amazon RDS with Amazon Virtual Private Cloud (VPC)](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html) in the *Amazon RDS User Guide*. + *Amazon Aurora* + Not applicable. The DB subnet group is managed by the DB cluster. If specified, the setting must match the DB cluster setting. - `dedicated_log_volume` (Boolean) Indicates whether the DB instance has a dedicated log volume (DLV) enabled. - `delete_automated_backups` (Boolean) A value that indicates whether to remove automated backups immediately after the DB instance is deleted. This parameter isn't case-sensitive. The default is to remove automated backups immediately after the DB instance is deleted. -- `deletion_protection` (Boolean) A value that indicates whether the DB instance has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection is disabled. -- `domain` (String) The Active Directory directory ID to create the DB instance in. Currently, only MySQL, Microsoft SQL Server, Oracle, and PostgreSQL DB instances can be created in an Active Directory Domain. + *Amazon Aurora* + Not applicable. When you delete a DB cluster, all automated backups for that DB cluster are deleted and can't be recovered. Manual DB cluster snapshots of the DB cluster are not deleted. +- `deletion_protection` (Boolean) A value that indicates whether the DB instance has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection is disabled. For more information, see [Deleting a DB Instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html). + *Amazon Aurora* + Not applicable. You can enable or disable deletion protection for the DB cluster. For more information, see ``CreateDBCluster``. DB instances in a DB cluster can be deleted even when deletion protection is enabled for the DB cluster. +- `domain` (String) The Active Directory directory ID to create the DB instance in. Currently, only Db2, MySQL, Microsoft SQL Server, Oracle, and PostgreSQL DB instances can be created in an Active Directory Domain. + For more information, see [Kerberos Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html) in the *Amazon RDS User Guide*. - `domain_auth_secret_arn` (String) The ARN for the Secrets Manager secret with the credentials for the user joining the domain. + Example: ``arn:aws:secretsmanager:region:account-number:secret:myselfmanagedADtestsecret-123456`` - `domain_dns_ips` (List of String) The IPv4 DNS IP addresses of your primary and secondary Active Directory domain controllers. + Constraints: + + Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list. + + Example: ``123.124.125.126,234.235.236.237`` - `domain_fqdn` (String) The fully qualified domain name (FQDN) of an Active Directory domain. -- `domain_iam_role_name` (String) Specify the name of the IAM role to be used when making API calls to the Directory Service. + Constraints: + + Can't be longer than 64 characters. + + Example: ``mymanagedADtest.mymanagedAD.mydomain`` +- `domain_iam_role_name` (String) The name of the IAM role to use when making API calls to the Directory Service. + This setting doesn't apply to the following DB instances: + + Amazon Aurora (The domain is managed by the DB cluster.) + + RDS Custom - `domain_ou` (String) The Active Directory organizational unit for your DB instance to join. -- `enable_cloudwatch_logs_exports` (List of String) The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. + Constraints: + + Must be in the distinguished name format. + + Can't be longer than 64 characters. + + Example: ``OU=mymanagedADtestOU,DC=mymanagedADtest,DC=mymanagedAD,DC=mydomain`` +- `enable_cloudwatch_logs_exports` (List of String) The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide*. + *Amazon Aurora* + Not applicable. CloudWatch Logs exports are managed by the DB cluster. + *Db2* + Valid values: ``diag.log``, ``notify.log`` + *MariaDB* + Valid values: ``audit``, ``error``, ``general``, ``slowquery`` + *Microsoft SQL Server* + Valid values: ``agent``, ``error`` + *MySQL* + Valid values: ``audit``, ``error``, ``general``, ``slowquery`` + *Oracle* + Valid values: ``alert``, ``audit``, ``listener``, ``trace``, ``oemagent`` + *PostgreSQL* + Valid values: ``postgresql``, ``upgrade`` - `enable_iam_database_authentication` (Boolean) A value that indicates whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. By default, mapping is disabled. -- `enable_performance_insights` (Boolean) A value that indicates whether to enable Performance Insights for the DB instance. -- `endpoint` (Attributes) Specifies the connection endpoint. (see [below for nested schema](#nestedatt--endpoint)) + This property is supported for RDS for MariaDB, RDS for MySQL, and RDS for PostgreSQL. For more information, see [IAM Database Authentication for MariaDB, MySQL, and PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html) in the *Amazon RDS User Guide.* + *Amazon Aurora* + Not applicable. Mapping AWS IAM accounts to database accounts is managed by the DB cluster. +- `enable_performance_insights` (Boolean) Specifies whether to enable Performance Insights for the DB instance. For more information, see [Using Amazon Performance Insights](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html) in the *Amazon RDS User Guide*. + This setting doesn't apply to RDS Custom DB instances. +- `endpoint` (Attributes) The connection endpoint for the DB instance. + The endpoint might not be shown for instances with the status of ``creating``. (see [below for nested schema](#nestedatt--endpoint)) - `engine` (String) The name of the database engine that you want to use for this DB instance. + Not every database engine is available in every AWS Region. + When you are creating a DB instance, the ``Engine`` property is required. + Valid Values: + + ``aurora-mysql`` (for Aurora MySQL DB instances) + + ``aurora-postgresql`` (for Aurora PostgreSQL DB instances) + + ``custom-oracle-ee`` (for RDS Custom for Oracle DB instances) + + ``custom-oracle-ee-cdb`` (for RDS Custom for Oracle DB instances) + + ``custom-sqlserver-ee`` (for RDS Custom for SQL Server DB instances) + + ``custom-sqlserver-se`` (for RDS Custom for SQL Server DB instances) + + ``custom-sqlserver-web`` (for RDS Custom for SQL Server DB instances) + + ``db2-ae`` + + ``db2-se`` + + ``mariadb`` + + ``mysql`` + + ``oracle-ee`` + + ``oracle-ee-cdb`` + + ``oracle-se2`` + + ``oracle-se2-cdb`` + + ``postgres`` + + ``sqlserver-ee`` + + ``sqlserver-se`` + + ``sqlserver-ex`` + + ``sqlserver-web`` - `engine_version` (String) The version number of the database engine to use. -- `iops` (Number) The number of I/O operations per second (IOPS) that the database provisions. -- `kms_key_id` (String) The ARN of the AWS Key Management Service (AWS KMS) master key that's used to encrypt the DB instance. + For a list of valid engine versions, use the ``DescribeDBEngineVersions`` action. + The following are the database engines and links to information about the major and minor versions that are available with Amazon RDS. Not every database engine is available for every AWS Region. + *Amazon Aurora* + Not applicable. The version number of the database engine to be used by the DB instance is managed by the DB cluster. + *Db2* + See [Amazon RDS for Db2](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Db2.html#Db2.Concepts.VersionMgmt) in the *Amazon RDS User Guide.* + *MariaDB* + See [MariaDB on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MariaDB.html#MariaDB.Concepts.VersionMgmt) in the *Amazon RDS User Guide.* + *Microsoft SQL Server* + See [Microsoft SQL Server Versions on Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.VersionSu +- `iops` (Number) The number of I/O operations per second (IOPS) that the database provisions. The value must be equal to or greater than 1000. + If you specify this property, you must follow the range of allowed ratios of your requested IOPS rate to the amount of storage that you allocate (IOPS to allocated storage). For example, you can provision an Oracle database instance with 1000 IOPS and 200 GiB of storage (a ratio of 5:1), or specify 2000 IOPS with 200 GiB of storage (a ratio of 10:1). For more information, see [Amazon RDS Provisioned IOPS Storage to Improve Performance](https://docs.aws.amazon.com/AmazonRDS/latest/DeveloperGuide/CHAP_Storage.html#USER_PIOPS) in the *Amazon RDS User Guide*. + If you specify ``io1`` for the ``StorageType`` property, then you must also specify the ``Iops`` property. + Constraints: + + For RDS for Db2, MariaDB, MySQL, Oracle, and PostgreSQL - Must be a multiple between .5 and 50 of the storage amount for the DB instance. + + For RDS for SQL Server - Must be a multip +- `kms_key_id` (String) The ARN of the AWS KMS key that's used to encrypt the DB instance, such as ``arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef``. If you enable the StorageEncrypted property but don't specify this property, AWS CloudFormation uses the default KMS key. If you specify this property, you must set the StorageEncrypted property to true. + If you specify the ``SourceDBInstanceIdentifier`` property, the value is inherited from the source DB instance if the read replica is created in the same region. + If you create an encrypted read replica in a different AWS Region, then you must specify a KMS key for the destination AWS Region. KMS encryption keys are specific to the region that they're created in, and you can't use encryption keys from one region in another region. + If you specify the ``SnapshotIdentifier`` property, the ``StorageEncrypted`` property value is inherited from the snapshot, and if the DB instance is encrypted, the specified ``KmsKeyId`` property is us - `license_model` (String) License model information for this DB instance. -- `manage_master_user_password` (Boolean) A value that indicates whether to manage the master user password with AWS Secrets Manager. -- `master_user_password` (String) The password for the master user. -- `master_user_secret` (Attributes) Contains the secret managed by RDS in AWS Secrets Manager for the master user password. (see [below for nested schema](#nestedatt--master_user_secret)) + Valid Values: + + Aurora MySQL - ``general-public-license`` + + Aurora PostgreSQL - ``postgresql-license`` + + RDS for Db2 - ``bring-your-own-license``. For more information about RDS for Db2 licensing, see [](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-licensing.html) in the *Amazon RDS User Guide.* + + RDS for MariaDB - ``general-public-license`` + + RDS for Microsoft SQL Server - ``license-included`` + + RDS for MySQL - ``general-public-license`` + + RDS for Oracle - ``bring-your-own-license`` or ``license-included`` + + RDS for PostgreSQL - ``postgresql-license`` + + If you've specified ``DBSecurityGroups`` and then you update the license model, AWS CloudFormation replaces the underlying DB instance. This will incur some interruptions to database availability. +- `manage_master_user_password` (Boolean) Specifies whether to manage the master user password with AWS Secrets Manager. + For more information, see [Password management with Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide.* + Constraints: + + Can't manage the master user password with AWS Secrets Manager if ``MasterUserPassword`` is specified. +- `master_user_password` (String) The password for the master user. The password can include any printable ASCII character except "/", """, or "@". + *Amazon Aurora* + Not applicable. The password for the master user is managed by the DB cluster. + *RDS for Db2* + Must contain from 8 to 255 characters. + *RDS for MariaDB* + Constraints: Must contain from 8 to 41 characters. + *RDS for Microsoft SQL Server* + Constraints: Must contain from 8 to 128 characters. + *RDS for MySQL* + Constraints: Must contain from 8 to 41 characters. + *RDS for Oracle* + Constraints: Must contain from 8 to 30 characters. + *RDS for PostgreSQL* + Constraints: Must contain from 8 to 128 characters. +- `master_user_secret` (Attributes) The secret managed by RDS in AWS Secrets Manager for the master user password. + For more information, see [Password management with Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide.* (see [below for nested schema](#nestedatt--master_user_secret)) - `master_username` (String) The master user name for the DB instance. -- `max_allocated_storage` (Number) The upper limit to which Amazon RDS can automatically scale the storage of the DB instance. -- `monitoring_interval` (Number) The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. -- `monitoring_role_arn` (String) The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to Amazon CloudWatch Logs. -- `multi_az` (Boolean) Specifies whether the database instance is a multiple Availability Zone deployment. -- `nchar_character_set_name` (String) The name of the NCHAR character set for the Oracle DB instance. This parameter doesn't apply to RDS Custom. -- `network_type` (String) The network type of the DB cluster. + If you specify the ``SourceDBInstanceIdentifier`` or ``DBSnapshotIdentifier`` property, don't specify this property. The value is inherited from the source DB instance or snapshot. + When migrating a self-managed Db2 database, we recommend that you use the same master username as your self-managed Db2 instance name. + *Amazon Aurora* + Not applicable. The name for the master user is managed by the DB cluster. + *RDS for Db2* + Constraints: + + Must be 1 to 16 letters or numbers. + + First character must be a letter. + + Can't be a reserved word for the chosen database engine. + + *RDS for MariaDB* + Constraints: + + Must be 1 to 16 letters or numbers. + + Can't be a reserved word for the chosen database engine. + + *RDS for Microsoft SQL Server* + Constraints: + + Must be 1 to 128 letters or numbers. + + First character must be a letter. + + Can't be a reserved word for the chosen database engine. + + *RDS for MySQL* + Constrain +- `max_allocated_storage` (Number) The upper limit in gibibytes (GiB) to which Amazon RDS can automatically scale the storage of the DB instance. + For more information about this setting, including limitations that apply to it, see [Managing capacity automatically with Amazon RDS storage autoscaling](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PIOPS.StorageTypes.html#USER_PIOPS.Autoscaling) in the *Amazon RDS User Guide*. + This setting doesn't apply to the following DB instances: + + Amazon Aurora (Storage is managed by the DB cluster.) + + RDS Custom +- `monitoring_interval` (Number) The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collection of Enhanced Monitoring metrics, specify 0. The default is 0. + If ``MonitoringRoleArn`` is specified, then you must set ``MonitoringInterval`` to a value other than 0. + This setting doesn't apply to RDS Custom. + Valid Values: ``0, 1, 5, 10, 15, 30, 60`` +- `monitoring_role_arn` (String) The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to Amazon CloudWatch Logs. For example, ``arn:aws:iam:123456789012:role/emaccess``. For information on creating a monitoring role, see [Setting Up and Enabling Enhanced Monitoring](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html#USER_Monitoring.OS.Enabling) in the *Amazon RDS User Guide*. + If ``MonitoringInterval`` is set to a value other than ``0``, then you must supply a ``MonitoringRoleArn`` value. + This setting doesn't apply to RDS Custom DB instances. +- `multi_az` (Boolean) Specifies whether the database instance is a Multi-AZ DB instance deployment. You can't set the ``AvailabilityZone`` parameter if the ``MultiAZ`` parameter is set to true. + For more information, see [Multi-AZ deployments for high availability](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html) in the *Amazon RDS User Guide*. + *Amazon Aurora* + Not applicable. Amazon Aurora storage is replicated across all of the Availability Zones and doesn't require the ``MultiAZ`` option to be set. +- `nchar_character_set_name` (String) The name of the NCHAR character set for the Oracle DB instance. + This setting doesn't apply to RDS Custom DB instances. +- `network_type` (String) The network type of the DB instance. + Valid values: + + ``IPV4`` + + ``DUAL`` + + The network type is determined by the ``DBSubnetGroup`` specified for the DB instance. A ``DBSubnetGroup`` can support only the IPv4 protocol or the IPv4 and IPv6 protocols (``DUAL``). + For more information, see [Working with a DB instance in a VPC](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html) in the *Amazon RDS User Guide.* - `option_group_name` (String) Indicates that the DB instance should be associated with the specified option group. -- `performance_insights_kms_key_id` (String) The AWS KMS key identifier for encryption of Performance Insights data. The KMS key ID is the Amazon Resource Name (ARN), KMS key identifier, or the KMS key alias for the KMS encryption key. -- `performance_insights_retention_period` (Number) The amount of time, in days, to retain Performance Insights data. Valid values are 7 or 731 (2 years). + Permanent options, such as the TDE option for Oracle Advanced Security TDE, can't be removed from an option group. Also, that option group can't be removed from a DB instance once it is associated with a DB instance. +- `performance_insights_kms_key_id` (String) The AWS KMS key identifier for encryption of Performance Insights data. + The KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. + If you do not specify a value for ``PerformanceInsightsKMSKeyId``, then Amazon RDS uses your default KMS key. There is a default KMS key for your AWS account. Your AWS account has a different default KMS key for each AWS Region. + For information about enabling Performance Insights, see [EnablePerformanceInsights](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-enableperformanceinsights). +- `performance_insights_retention_period` (Number) The number of days to retain Performance Insights data. + This setting doesn't apply to RDS Custom DB instances. + Valid Values: + + ``7`` + + *month* * 31, where *month* is a number of months from 1-23. Examples: ``93`` (3 months * 31), ``341`` (11 months * 31), ``589`` (19 months * 31) + + ``731`` + + Default: ``7`` days + If you specify a retention period that isn't valid, such as ``94``, Amazon RDS returns an error. - `port` (String) The port number on which the database accepts connections. -- `preferred_backup_window` (String) The daily time range during which automated backups are created if automated backups are enabled, using the BackupRetentionPeriod parameter. -- `preferred_maintenance_window` (String) he weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC). -- `processor_features` (Attributes List) The number of CPU cores and the number of threads per core for the DB instance class of the DB instance. (see [below for nested schema](#nestedatt--processor_features)) -- `promotion_tier` (Number) A value that specifies the order in which an Aurora Replica is promoted to the primary instance after a failure of the existing primary instance. -- `publicly_accessible` (Boolean) Indicates whether the DB instance is an internet-facing instance. If you specify true, AWS CloudFormation creates an instance with a publicly resolvable DNS name, which resolves to a public IP address. If you specify false, AWS CloudFormation creates an internal instance with a DNS name that resolves to a private IP address. -- `replica_mode` (String) The open mode of an Oracle read replica. The default is open-read-only. + *Amazon Aurora* + Not applicable. The port number is managed by the DB cluster. + *Db2* + Default value: ``50000`` +- `preferred_backup_window` (String) The daily time range during which automated backups are created if automated backups are enabled, using the ``BackupRetentionPeriod`` parameter. For more information, see [Backup Window](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupWindow) in the *Amazon RDS User Guide.* + Constraints: + + Must be in the format ``hh24:mi-hh24:mi``. + + Must be in Universal Coordinated Time (UTC). + + Must not conflict with the preferred maintenance window. + + Must be at least 30 minutes. + + *Amazon Aurora* + Not applicable. The daily time range for creating automated backups is managed by the DB cluster. +- `preferred_maintenance_window` (String) The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC). + Format: ``ddd:hh24:mi-ddd:hh24:mi`` + The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region, occurring on a random day of the week. To see the time blocks available, see [Adjusting the Preferred DB Instance Maintenance Window](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Maintenance.html#AdjustingTheMaintenanceWindow) in the *Amazon RDS User Guide.* + This property applies when AWS CloudFormation initially creates the DB instance. If you use AWS CloudFormation to update the DB instance, those updates are applied immediately. + Constraints: Minimum 30-minute window. +- `processor_features` (Attributes List) The number of CPU cores and the number of threads per core for the DB instance class of the DB instance. + This setting doesn't apply to Amazon Aurora or RDS Custom DB instances. (see [below for nested schema](#nestedatt--processor_features)) +- `promotion_tier` (Number) The order of priority in which an Aurora Replica is promoted to the primary instance after a failure of the existing primary instance. For more information, see [Fault Tolerance for an Aurora DB Cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.AuroraHighAvailability.html#Aurora.Managing.FaultTolerance) in the *Amazon Aurora User Guide*. + This setting doesn't apply to RDS Custom DB instances. + Default: ``1`` + Valid Values: ``0 - 15`` +- `publicly_accessible` (Boolean) Indicates whether the DB instance is an internet-facing instance. If you specify true, AWS CloudFormation creates an instance with a publicly resolvable DNS name, which resolves to a public IP address. If you specify false, AWS CloudFormation creates an internal instance with a DNS name that resolves to a private IP address. + The default behavior value depends on your VPC setup and the database subnet group. For more information, see the ``PubliclyAccessible`` parameter in the [CreateDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html) in the *Amazon RDS API Reference*. +- `replica_mode` (String) The open mode of an Oracle read replica. For more information, see [Working with Oracle Read Replicas for Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-read-replicas.html) in the *Amazon RDS User Guide*. + This setting is only supported in RDS for Oracle. + Default: ``open-read-only`` + Valid Values: ``open-read-only`` or ``mounted`` - `restore_time` (String) The date and time to restore from. + Constraints: + + Must be a time in Universal Coordinated Time (UTC) format. + + Must be before the latest restorable time for the DB instance. + + Can't be specified if the ``UseLatestRestorableTime`` parameter is enabled. + + Example: ``2009-09-07T23:45:00Z`` - `source_db_cluster_identifier` (String) The identifier of the Multi-AZ DB cluster that will act as the source for the read replica. Each DB cluster can have up to 15 read replicas. -- `source_db_instance_automated_backups_arn` (String) The Amazon Resource Name (ARN) of the replicated automated backups from which to restore. -- `source_db_instance_identifier` (String) If you want to create a Read Replica DB instance, specify the ID of the source DB instance. Each DB instance can have a limited number of Read Replicas. + Constraints: + + Must be the identifier of an existing Multi-AZ DB cluster. + + Can't be specified if the ``SourceDBInstanceIdentifier`` parameter is also specified. + + The specified DB cluster must have automatic backups enabled, that is, its backup retention period must be greater than 0. + + The source DB cluster must be in the same AWS-Region as the read replica. Cross-Region replication isn't supported. +- `source_db_instance_automated_backups_arn` (String) The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, ``arn:aws:rds:us-east-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE``. + This setting doesn't apply to RDS Custom. +- `source_db_instance_identifier` (String) If you want to create a read replica DB instance, specify the ID of the source DB instance. Each DB instance can have a limited number of read replicas. For more information, see [Working with Read Replicas](https://docs.aws.amazon.com/AmazonRDS/latest/DeveloperGuide/USER_ReadRepl.html) in the *Amazon RDS User Guide*. + For information about constraints that apply to DB instance identifiers, see [Naming constraints in Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html#RDS_Limits.Constraints) in the *Amazon RDS User Guide*. + The ``SourceDBInstanceIdentifier`` property determines whether a DB instance is a read replica. If you remove the ``SourceDBInstanceIdentifier`` property from your template and then update your stack, AWS CloudFormation promotes the Read Replica to a standalone DB instance. + + If you specify a source DB instance that uses VPC security groups, we recommend that you specify the ``VPCSecurityGroups`` property. If you don't specify the - `source_dbi_resource_id` (String) The resource ID of the source DB instance from which to restore. -- `source_region` (String) The ID of the region that contains the source DB instance for the Read Replica. +- `source_region` (String) The ID of the region that contains the source DB instance for the read replica. - `storage_encrypted` (Boolean) A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted. -- `storage_throughput` (Number) Specifies the storage throughput for the DB instance. + If you specify the ``KmsKeyId`` property, then you must enable encryption. + If you specify the ``SourceDBInstanceIdentifier`` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified ``KmsKeyId`` property is used. + If you specify the ``DBSnapshotIdentifier`` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified ``KmsKeyId`` property is used. + If you specify the ``DBSnapshotIdentifier`` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the ``KmsKeyId`` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to ``false``. + *Amazon Aurora* + Not applicable. The encrypt +- `storage_throughput` (Number) Specifies the storage throughput value for the DB instance. This setting applies only to the ``gp3`` storage type. + This setting doesn't apply to RDS Custom or Amazon Aurora. - `storage_type` (String) Specifies the storage type to be associated with the DB instance. -- `tags` (Attributes List) Tags to assign to the DB instance. (see [below for nested schema](#nestedatt--tags)) -- `tde_credential_arn` (String) The ARN from the key store with which to associate the instance for TDE encryption. -- `tde_credential_password` (String) The password for the given ARN from the key store in order to access the device. -- `timezone` (String) The time zone of the DB instance. The time zone parameter is currently supported only by Microsoft SQL Server. -- `use_default_processor_features` (Boolean) A value that indicates whether the DB instance class of the DB instance uses its default processor features. -- `use_latest_restorable_time` (Boolean) A value that indicates whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time. -- `vpc_security_groups` (List of String) A list of the VPC security group IDs to assign to the DB instance. The list can include both the physical IDs of existing VPC security groups and references to AWS::EC2::SecurityGroup resources created in the template. + Valid values: ``gp2 | gp3 | io1 | standard`` + The ``standard`` value is also known as magnetic. + If you specify ``io1`` or ``gp3``, you must also include a value for the ``Iops`` parameter. + Default: ``io1`` if the ``Iops`` parameter is specified, otherwise ``gp2`` + For more information, see [Amazon RDS DB Instance Storage](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html) in the *Amazon RDS User Guide*. + *Amazon Aurora* + Not applicable. Aurora data is stored in the cluster volume, which is a single, virtual volume that uses solid state drives (SSDs). +- `tags` (Attributes List) An optional array of key-value pairs to apply to this DB instance. (see [below for nested schema](#nestedatt--tags)) +- `tde_credential_arn` (String) +- `tde_credential_password` (String) +- `timezone` (String) The time zone of the DB instance. The time zone parameter is currently supported only by [Microsoft SQL Server](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.TimeZone). +- `use_default_processor_features` (Boolean) Specifies whether the DB instance class of the DB instance uses its default processor features. + This setting doesn't apply to RDS Custom DB instances. +- `use_latest_restorable_time` (Boolean) Specifies whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time. + Constraints: + + Can't be specified if the ``RestoreTime`` parameter is provided. +- `vpc_security_groups` (List of String) A list of the VPC security group IDs to assign to the DB instance. The list can include both the physical IDs of existing VPC security groups and references to [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) resources created in the template. + If you plan to update the resource, don't specify VPC security groups in a shared VPC. + If you set ``VPCSecurityGroups``, you must not set [DBSecurityGroups](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsecuritygroups), and vice versa. + You can migrate a DB instance in your stack from an RDS DB security group to a VPC security group, but keep the following in mind: + + You can't revert to using an RDS security group after you establish a VPC security group membership. + + When you migrate your DB instance to VPC security groups, if your stack update rolls back because the DB instanc ### Read-Only -- `db_instance_arn` (String) The Amazon Resource Name (ARN) for the DB instance. -- `db_system_id` (String) The Oracle system ID (Oracle SID) for a container database (CDB). The Oracle SID is also the name of the CDB. This setting is valid for RDS Custom only. -- `dbi_resource_id` (String) The AWS Region-unique, immutable identifier for the DB instance. This identifier is found in AWS CloudTrail log entries whenever the AWS KMS key for the DB instance is accessed. +- `db_instance_arn` (String) +- `db_system_id` (String) The Oracle system identifier (SID), which is the name of the Oracle database instance that manages your database files. In this context, the term "Oracle database instance" refers exclusively to the system global area (SGA) and Oracle background processes. If you don't specify a SID, the value defaults to ``RDSCDB``. The Oracle SID is also the name of your CDB. +- `dbi_resource_id` (String) - `id` (String) Uniquely identifies the resource. @@ -217,7 +532,7 @@ Constraints: Required: -- `feature_name` (String) The name of the feature associated with the AWS Identity and Access Management (IAM) role. IAM roles that are associated with a DB instance grant permission for the DB instance to access other AWS services on your behalf. +- `feature_name` (String) The name of the feature associated with the AWS Identity and Access Management (IAM) role. IAM roles that are associated with a DB instance grant permission for the DB instance to access other AWS services on your behalf. For the list of supported feature names, see the ``SupportedFeatureNames`` description in [DBEngineVersion](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DBEngineVersion.html) in the *Amazon RDS API Reference*. - `role_arn` (String) The Amazon Resource Name (ARN) of the IAM role that is associated with the DB instance. @@ -227,7 +542,7 @@ Required: Read-Only: - `ca_identifier` (String) The CA identifier of the CA certificate used for the DB instance's server certificate. -- `valid_till` (String) The expiration date of the DB instance’s server certificate. +- `valid_till` (String) The expiration date of the DB instance?s server certificate. @@ -257,7 +572,7 @@ Read-Only: Optional: -- `name` (String) The name of the processor feature. Valid names are coreCount and threadsPerCore. +- `name` (String) The name of the processor feature. Valid names are ``coreCount`` and ``threadsPerCore``. - `value` (String) The value of a processor feature name. @@ -266,11 +581,11 @@ Optional: Required: -- `key` (String) The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. +- `key` (String) A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with ``aws:`` or ``rds:``. The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$"). Optional: -- `value` (String) The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. +- `value` (String) A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with ``aws:`` or ``rds:``. The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$"). ## Import diff --git a/docs/resources/rds_db_parameter_group.md b/docs/resources/rds_db_parameter_group.md index 003a11d700..a49b57d1d5 100644 --- a/docs/resources/rds_db_parameter_group.md +++ b/docs/resources/rds_db_parameter_group.md @@ -2,12 +2,20 @@ page_title: "awscc_rds_db_parameter_group Resource - terraform-provider-awscc" subcategory: "" description: |- - The AWS::RDS::DBParameterGroup resource creates a custom parameter group for an RDS database family + The AWS::RDS::DBParameterGroup resource creates a custom parameter group for an RDS database family. + This type can be declared in a template and referenced in the DBParameterGroupName property of an AWS::RDS::DBInstance resource. + For information about configuring parameters for Amazon RDS DB instances, see Working with parameter groups https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html in the Amazon RDS User Guide. + For information about configuring parameters for Amazon Aurora DB instances, see Working with parameter groups https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html in the Amazon Aurora User Guide. + Applying a parameter group to a DB instance may require the DB instance to reboot, resulting in a database outage for the duration of the reboot. --- # awscc_rds_db_parameter_group (Resource) -The AWS::RDS::DBParameterGroup resource creates a custom parameter group for an RDS database family +The ``AWS::RDS::DBParameterGroup`` resource creates a custom parameter group for an RDS database family. + This type can be declared in a template and referenced in the ``DBParameterGroupName`` property of an ``AWS::RDS::DBInstance`` resource. + For information about configuring parameters for Amazon RDS DB instances, see [Working with parameter groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html) in the *Amazon RDS User Guide*. + For information about configuring parameters for Amazon Aurora DB instances, see [Working with parameter groups](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) in the *Amazon Aurora User Guide*. + Applying a parameter group to a DB instance may require the DB instance to reboot, resulting in a database outage for the duration of the reboot. ## Example Usage @@ -68,13 +76,30 @@ resource "awscc_rds_db_parameter_group" "this" { ### Required - `description` (String) Provides the customer-specified description for this DB parameter group. -- `family` (String) The DB parameter group family name. +- `family` (String) The DB parameter group family name. A DB parameter group can be associated with one and only one DB parameter group family, and can be applied only to a DB instance running a DB engine and engine version compatible with that DB parameter group family. + The DB parameter group family can't be changed when updating a DB parameter group. + To list all of the available parameter group families, use the following command: + ``aws rds describe-db-engine-versions --query "DBEngineVersions[].DBParameterGroupFamily"`` + The output contains duplicates. + For more information, see ``CreateDBParameterGroup``. ### Optional -- `db_parameter_group_name` (String) Specifies the name of the DB parameter group -- `parameters` (String) An array of parameter names and values for the parameter update. -- `tags` (Attributes List) An array of key-value pairs to apply to this resource. (see [below for nested schema](#nestedatt--tags)) +- `db_parameter_group_name` (String) The name of the DB parameter group. + Constraints: + + Must be 1 to 255 letters, numbers, or hyphens. + + First character must be a letter + + Can't end with a hyphen or contain two consecutive hyphens + + If you don't specify a value for ``DBParameterGroupName`` property, a name is automatically created for the DB parameter group. + This value is stored as a lowercase string. +- `parameters` (String) An array of parameter names and values for the parameter update. At least one parameter name and value must be supplied. Subsequent arguments are optional. + RDS for Db2 requires you to bring your own Db2 license. You must enter your IBM customer ID (``rds.ibm_customer_id``) and site number (``rds.ibm_site_id``) before starting a Db2 instance. + For more information about DB parameters and DB parameter groups for Amazon RDS DB engines, see [Working with DB Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html) in the *Amazon RDS User Guide*. + For more information about DB cluster and DB instance parameters and parameter groups for Amazon Aurora DB engines, see [Working with DB Parameter Groups and DB Cluster Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) in the *Amazon Aurora User Guide*. + AWS CloudFormation doesn't support specifying an apply method for each individual +- `tags` (Attributes List) An optional array of key-value pairs to apply to this DB parameter group. + Currently, this is the only property that supports drift detection. (see [below for nested schema](#nestedatt--tags)) ### Read-Only @@ -85,11 +110,11 @@ resource "awscc_rds_db_parameter_group" "this" { Required: -- `key` (String) The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. +- `key` (String) A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with ``aws:`` or ``rds:``. The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$"). Optional: -- `value` (String) The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. +- `value` (String) A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with ``aws:`` or ``rds:``. The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$"). ## Import diff --git a/docs/resources/rds_db_subnet_group.md b/docs/resources/rds_db_subnet_group.md index 296d378452..33f7b341ca 100644 --- a/docs/resources/rds_db_subnet_group.md +++ b/docs/resources/rds_db_subnet_group.md @@ -3,11 +3,13 @@ page_title: "awscc_rds_db_subnet_group Resource - terraform-provider-awscc" subcategory: "" description: |- The AWS::RDS::DBSubnetGroup resource creates a database subnet group. Subnet groups must contain at least two subnets in two different Availability Zones in the same region. + For more information, see Working with DB subnet groups https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Subnets in the Amazon RDS User Guide. --- # awscc_rds_db_subnet_group (Resource) -The AWS::RDS::DBSubnetGroup resource creates a database subnet group. Subnet groups must contain at least two subnets in two different Availability Zones in the same region. +The ``AWS::RDS::DBSubnetGroup`` resource creates a database subnet group. Subnet groups must contain at least two subnets in two different Availability Zones in the same region. + For more information, see [Working with DB subnet groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Subnets) in the *Amazon RDS User Guide*. ## Example Usage @@ -41,13 +43,15 @@ resource "awscc_rds_db_subnet_group" "example" { ### Required -- `db_subnet_group_description` (String) -- `subnet_ids` (List of String) +- `db_subnet_group_description` (String) The description for the DB subnet group. +- `subnet_ids` (List of String) The EC2 Subnet IDs for the DB subnet group. ### Optional -- `db_subnet_group_name` (String) -- `tags` (Attributes List) An array of key-value pairs to apply to this resource. (see [below for nested schema](#nestedatt--tags)) +- `db_subnet_group_name` (String) The name for the DB subnet group. This value is stored as a lowercase string. + Constraints: Must contain no more than 255 lowercase alphanumeric characters or hyphens. Must not be "Default". + Example: ``mysubnetgroup`` +- `tags` (Attributes List) An optional array of key-value pairs to apply to this DB subnet group. (see [below for nested schema](#nestedatt--tags)) ### Read-Only @@ -58,11 +62,11 @@ resource "awscc_rds_db_subnet_group" "example" { Required: -- `key` (String) The key name of the tag. You can specify a value that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. +- `key` (String) A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with ``aws:`` or ``rds:``. The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$"). Optional: -- `value` (String) The value for the tag. You can specify a value that is 0 to 256 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. +- `value` (String) A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with ``aws:`` or ``rds:``. The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$"). ## Import diff --git a/docs/resources/s3_bucket.md b/docs/resources/s3_bucket.md index ce63476294..bba69041d8 100644 --- a/docs/resources/s3_bucket.md +++ b/docs/resources/s3_bucket.md @@ -2,12 +2,16 @@ page_title: "awscc_s3_bucket Resource - terraform-provider-awscc" subcategory: "" description: |- - Resource Type definition for AWS::S3::Bucket + The AWS::S3::Bucket resource creates an Amazon S3 bucket in the same AWS Region where you create the AWS CloudFormation stack. + To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to retain the bucket or to delete the bucket. For more information, see DeletionPolicy Attribute https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html. + You can only delete empty buckets. Deletion fails for buckets that have contents. --- # awscc_s3_bucket (Resource) -Resource Type definition for AWS::S3::Bucket +The ``AWS::S3::Bucket`` resource creates an Amazon S3 bucket in the same AWS Region where you create the AWS CloudFormation stack. + To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to *retain* the bucket or to *delete* the bucket. For more information, see [DeletionPolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html). + You can only delete empty buckets. Deletion fails for buckets that have contents. ## Example Usage ### Create a s3 bucket @@ -72,26 +76,35 @@ resource "awscc_s3_bucket" "example" { ### Optional -- `accelerate_configuration` (Attributes) Configuration for the transfer acceleration state. (see [below for nested schema](#nestedatt--accelerate_configuration)) -- `access_control` (String) A canned access control list (ACL) that grants predefined permissions to the bucket. -- `analytics_configurations` (Attributes List) The configuration and any analyses for the analytics filter of an Amazon S3 bucket. (see [below for nested schema](#nestedatt--analytics_configurations)) -- `bucket_encryption` (Attributes) Specifies default encryption for a bucket using server-side encryption with either Amazon S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS). (see [below for nested schema](#nestedatt--bucket_encryption)) -- `bucket_name` (String) A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the bucket name. -- `cors_configuration` (Attributes) Rules that define cross-origin resource sharing of objects in this bucket. (see [below for nested schema](#nestedatt--cors_configuration)) -- `intelligent_tiering_configurations` (Attributes List) Specifies the S3 Intelligent-Tiering configuration for an Amazon S3 bucket. (see [below for nested schema](#nestedatt--intelligent_tiering_configurations)) -- `inventory_configurations` (Attributes List) The inventory configuration for an Amazon S3 bucket. (see [below for nested schema](#nestedatt--inventory_configurations)) -- `lifecycle_configuration` (Attributes) Rules that define how Amazon S3 manages objects during their lifetime. (see [below for nested schema](#nestedatt--lifecycle_configuration)) +- `accelerate_configuration` (Attributes) Configures the transfer acceleration state for an Amazon S3 bucket. For more information, see [Amazon S3 Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html) in the *Amazon S3 User Guide*. (see [below for nested schema](#nestedatt--accelerate_configuration)) +- `access_control` (String) This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see [Controlling object ownership](https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide*. + A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide*. + S3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the [AWS::S3::OwnershipControls](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html) property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon. + The majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see [AWS::S3::BucketPolicy](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html). For examples of common policy configurations, including S3 Server Access Logs buckets and more, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) in the *Amazon S3 User Guide*. +- `analytics_configurations` (Attributes List) Specifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket. (see [below for nested schema](#nestedatt--analytics_configurations)) +- `bucket_encryption` (Attributes) Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3), AWS KMS-managed keys (SSE-KMS), or dual-layer server-side encryption with KMS-managed keys (DSSE-KMS). For information about the Amazon S3 default encryption feature, see [Amazon S3 Default Encryption for S3 Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html) in the *Amazon S3 User Guide*. (see [below for nested schema](#nestedatt--bucket_encryption)) +- `bucket_name` (String) A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow [Amazon S3 bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html). For more information, see [Rules for naming Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html#bucketnamingrules) in the *Amazon S3 User Guide*. + If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name. +- `cors_configuration` (Attributes) Describes the cross-origin access configuration for objects in an Amazon S3 bucket. For more information, see [Enabling Cross-Origin Resource Sharing](https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html) in the *Amazon S3 User Guide*. (see [below for nested schema](#nestedatt--cors_configuration)) +- `intelligent_tiering_configurations` (Attributes List) Defines how Amazon S3 handles Intelligent-Tiering storage. (see [below for nested schema](#nestedatt--intelligent_tiering_configurations)) +- `inventory_configurations` (Attributes List) Specifies the inventory configuration for an Amazon S3 bucket. For more information, see [GET Bucket inventory](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html) in the *Amazon S3 API Reference*. (see [below for nested schema](#nestedatt--inventory_configurations)) +- `lifecycle_configuration` (Attributes) Specifies the lifecycle configuration for objects in an Amazon S3 bucket. For more information, see [Object Lifecycle Management](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide*. (see [below for nested schema](#nestedatt--lifecycle_configuration)) - `logging_configuration` (Attributes) Settings that define where logs are stored. (see [below for nested schema](#nestedatt--logging_configuration)) -- `metrics_configurations` (Attributes List) Settings that define a metrics configuration for the CloudWatch request metrics from the bucket. (see [below for nested schema](#nestedatt--metrics_configurations)) +- `metrics_configurations` (Attributes List) Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see [PutBucketMetricsConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html). (see [below for nested schema](#nestedatt--metrics_configurations)) - `notification_configuration` (Attributes) Configuration that defines how Amazon S3 handles bucket notifications. (see [below for nested schema](#nestedatt--notification_configuration)) -- `object_lock_configuration` (Attributes) Places an Object Lock configuration on the specified bucket. (see [below for nested schema](#nestedatt--object_lock_configuration)) -- `object_lock_enabled` (Boolean) Indicates whether this bucket has an Object Lock configuration enabled. -- `ownership_controls` (Attributes) Specifies the container element for object ownership rules. (see [below for nested schema](#nestedatt--ownership_controls)) +- `object_lock_configuration` (Attributes) This operation is not supported by directory buckets. + Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html). + + The ``DefaultRetention`` settings require both a mode and a period. + + The ``DefaultRetention`` period can be either ``Days`` or ``Years`` but you must select one. You cannot specify ``Days`` and ``Years`` at the same time. + + You can enable Object Lock for new or existing buckets. For more information, see [Configuring Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html). (see [below for nested schema](#nestedatt--object_lock_configuration)) +- `object_lock_enabled` (Boolean) Indicates whether this bucket has an Object Lock configuration enabled. Enable ``ObjectLockEnabled`` when you apply ``ObjectLockConfiguration`` to a bucket. +- `ownership_controls` (Attributes) Configuration that defines how Amazon S3 handles Object Ownership rules. (see [below for nested schema](#nestedatt--ownership_controls)) - `public_access_block_configuration` (Attributes) Configuration that defines how Amazon S3 handles public access. (see [below for nested schema](#nestedatt--public_access_block_configuration)) -- `replication_configuration` (Attributes) Configuration for replicating objects in an S3 bucket. (see [below for nested schema](#nestedatt--replication_configuration)) +- `replication_configuration` (Attributes) Configuration for replicating objects in an S3 bucket. To enable replication, you must also enable versioning by using the ``VersioningConfiguration`` property. + Amazon S3 can store replicated objects in a single destination bucket or multiple destination buckets. The destination bucket or buckets must already exist. (see [below for nested schema](#nestedatt--replication_configuration)) - `tags` (Attributes List) An arbitrary set of tags (key-value pairs) for this S3 bucket. (see [below for nested schema](#nestedatt--tags)) -- `versioning_configuration` (Attributes) Describes the versioning state of an Amazon S3 bucket. (see [below for nested schema](#nestedatt--versioning_configuration)) -- `website_configuration` (Attributes) Specifies website configuration parameters for an Amazon S3 bucket. (see [below for nested schema](#nestedatt--website_configuration)) +- `versioning_configuration` (Attributes) Enables multiple versions of all objects in this bucket. You might enable versioning to prevent objects from being deleted or overwritten by mistake or to archive objects so that you can retrieve previous versions of them. (see [below for nested schema](#nestedatt--versioning_configuration)) +- `website_configuration` (Attributes) Information used to configure the bucket as a static website. For more information, see [Hosting Websites on Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html). (see [below for nested schema](#nestedatt--website_configuration)) ### Read-Only @@ -107,7 +120,7 @@ resource "awscc_s3_bucket" "example" { Required: -- `acceleration_status` (String) Configures the transfer acceleration state for an Amazon S3 bucket. +- `acceleration_status` (String) Specifies the transfer acceleration status of the bucket. @@ -116,12 +129,13 @@ Required: Required: - `id` (String) The ID that identifies the analytics configuration. -- `storage_class_analysis` (Attributes) Specifies data related to access patterns to be collected and made available to analyze the tradeoffs between different storage classes for an Amazon S3 bucket. (see [below for nested schema](#nestedatt--analytics_configurations--storage_class_analysis)) +- `storage_class_analysis` (Attributes) Contains data related to access patterns to be collected and made available to analyze the tradeoffs between different storage classes. (see [below for nested schema](#nestedatt--analytics_configurations--storage_class_analysis)) Optional: - `prefix` (String) The prefix that an object must have to be included in the analytics results. -- `tag_filters` (Attributes List) (see [below for nested schema](#nestedatt--analytics_configurations--tag_filters)) +- `tag_filters` (Attributes List) The tags to use when evaluating an analytics filter. + The analytics only includes objects that meet the filter's criteria. If no filter is specified, all of the contents of the bucket are included in the analysis. (see [below for nested schema](#nestedatt--analytics_configurations--tag_filters)) ### Nested Schema for `analytics_configurations.storage_class_analysis` @@ -135,8 +149,8 @@ Optional: Required: -- `destination` (Attributes) Specifies information about where to publish analysis or configuration results for an Amazon S3 bucket and S3 Replication Time Control (S3 RTC). (see [below for nested schema](#nestedatt--analytics_configurations--storage_class_analysis--data_export--destination)) -- `output_schema_version` (String) The version of the output schema to use when exporting data. +- `destination` (Attributes) The place to store the data for an analysis. (see [below for nested schema](#nestedatt--analytics_configurations--storage_class_analysis--data_export--destination)) +- `output_schema_version` (String) The version of the output schema to use when exporting data. Must be ``V_1``. ### Nested Schema for `analytics_configurations.storage_class_analysis.data_export.output_schema_version` @@ -145,10 +159,12 @@ Required: - `bucket_arn` (String) The Amazon Resource Name (ARN) of the bucket to which data is exported. - `format` (String) Specifies the file format used when exporting data to Amazon S3. + *Allowed values*: ``CSV`` | ``ORC`` | ``Parquet`` Optional: -- `bucket_account_id` (String) The account ID that owns the destination S3 bucket. +- `bucket_account_id` (String) The account ID that owns the destination S3 bucket. If no account ID is provided, the owner is not validated before exporting data. + Although this value is optional, we strongly recommend that you set it to help prevent problems if the destination bucket ownership changes. - `prefix` (String) The prefix to use when exporting data. The prefix is prepended to all results. @@ -159,8 +175,8 @@ Optional: Required: -- `key` (String) -- `value` (String) +- `key` (String) The tag key. +- `value` (String) The tag value. @@ -176,7 +192,8 @@ Required: Optional: -- `bucket_key_enabled` (Boolean) Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket. Existing objects are not affected. Setting the BucketKeyEnabled element to true causes Amazon S3 to use an S3 Bucket Key. By default, S3 Bucket Key is not enabled. +- `bucket_key_enabled` (Boolean) Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket. Existing objects are not affected. Setting the ``BucketKeyEnabled`` element to ``true`` causes Amazon S3 to use an S3 Bucket Key. By default, S3 Bucket Key is not enabled. + For more information, see [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) in the *Amazon S3 User Guide*. - `server_side_encryption_by_default` (Attributes) Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. (see [below for nested schema](#nestedatt--bucket_encryption--server_side_encryption_configuration--server_side_encryption_by_default)) @@ -184,11 +201,19 @@ Optional: Required: -- `sse_algorithm` (String) +- `sse_algorithm` (String) Server-side encryption algorithm to use for the default encryption. Optional: -- `kms_master_key_id` (String) "KMSMasterKeyID" can only be used when you set the value of SSEAlgorithm as aws:kms or aws:kms:dsse. +- `kms_master_key_id` (String) AWS Key Management Service (KMS) customer AWS KMS key ID to use for the default encryption. This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms`` or ``aws:kms:dsse``. + You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key. + + Key ID: ``1234abcd-12ab-34cd-56ef-1234567890ab`` + + Key ARN: ``arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`` + + Key Alias: ``alias/alias-name`` + + If you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log. + If you are using encryption with cross-account or AWS service operations you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy). + Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *Key Management Service Developer Guide*. @@ -198,21 +223,22 @@ Optional: Required: -- `cors_rules` (Attributes List) (see [below for nested schema](#nestedatt--cors_configuration--cors_rules)) +- `cors_rules` (Attributes List) A set of origins and methods (cross-origin access that you want to allow). You can add up to 100 rules to the configuration. (see [below for nested schema](#nestedatt--cors_configuration--cors_rules)) ### Nested Schema for `cors_configuration.cors_rules` Required: -- `allowed_methods` (List of String) An HTTP method that you allow the origin to execute. +- `allowed_methods` (List of String) An HTTP method that you allow the origin to run. + *Allowed values*: ``GET`` | ``PUT`` | ``HEAD`` | ``POST`` | ``DELETE`` - `allowed_origins` (List of String) One or more origins you want customers to be able to access the bucket from. Optional: -- `allowed_headers` (List of String) Headers that are specified in the Access-Control-Request-Headers header. -- `exposed_headers` (List of String) One or more headers in the response that you want customers to be able to access from their applications (for example, from a JavaScript XMLHttpRequest object). -- `id` (String) A unique identifier for this rule. +- `allowed_headers` (List of String) Headers that are specified in the ``Access-Control-Request-Headers`` header. These headers are allowed in a preflight OPTIONS request. In response to any preflight OPTIONS request, Amazon S3 returns any requested headers that are allowed. +- `exposed_headers` (List of String) One or more headers in the response that you want customers to be able to access from their applications (for example, from a JavaScript ``XMLHttpRequest`` object). +- `id` (String) A unique identifier for this rule. The value must be no more than 255 characters. - `max_age` (Number) The time in seconds that your browser is to cache the preflight response for the specified resource. @@ -224,7 +250,8 @@ Required: - `id` (String) The ID used to identify the S3 Intelligent-Tiering configuration. - `status` (String) Specifies the status of the configuration. -- `tierings` (Attributes List) Specifies a list of S3 Intelligent-Tiering storage class tiers in the configuration. At least one tier must be defined in the list. At most, you can specify two tiers in the list, one for each available AccessTier: ARCHIVE_ACCESS and DEEP_ARCHIVE_ACCESS. (see [below for nested schema](#nestedatt--intelligent_tiering_configurations--tierings)) +- `tierings` (Attributes List) Specifies a list of S3 Intelligent-Tiering storage class tiers in the configuration. At least one tier must be defined in the list. At most, you can specify two tiers in the list, one for each available AccessTier: ``ARCHIVE_ACCESS`` and ``DEEP_ARCHIVE_ACCESS``. + You only need Intelligent Tiering Configuration enabled on a bucket if you want to automatically move objects stored in the Intelligent-Tiering storage class to Archive Access or Deep Archive Access tiers. (see [below for nested schema](#nestedatt--intelligent_tiering_configurations--tierings)) Optional: @@ -236,7 +263,7 @@ Optional: Required: -- `access_tier` (String) S3 Intelligent-Tiering access tier. See Storage class for automatically optimizing frequently and infrequently accessed objects for a list of access tiers in the S3 Intelligent-Tiering storage class. +- `access_tier` (String) S3 Intelligent-Tiering access tier. See [Storage class for automatically optimizing frequently and infrequently accessed objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html#sc-dynamic-data-access) for a list of access tiers in the S3 Intelligent-Tiering storage class. - `days` (Number) The number of consecutive days of no access after which an object will be eligible to be transitioned to the corresponding tier. The minimum number of days specified for Archive Access tier must be at least 90 days and Deep Archive Access tier must be at least 180 days. The maximum can be up to 2 years (730 days). @@ -245,8 +272,8 @@ Required: Required: -- `key` (String) -- `value` (String) +- `key` (String) The tag key. +- `value` (String) The tag value. @@ -255,16 +282,16 @@ Required: Required: -- `destination` (Attributes) Specifies information about where to publish analysis or configuration results for an Amazon S3 bucket and S3 Replication Time Control (S3 RTC). (see [below for nested schema](#nestedatt--inventory_configurations--destination)) -- `enabled` (Boolean) Specifies whether the inventory is enabled or disabled. +- `destination` (Attributes) Contains information about where to publish the inventory results. (see [below for nested schema](#nestedatt--inventory_configurations--destination)) +- `enabled` (Boolean) Specifies whether the inventory is enabled or disabled. If set to ``True``, an inventory list is generated. If set to ``False``, no inventory list is generated. - `id` (String) The ID used to identify the inventory configuration. -- `included_object_versions` (String) Object versions to include in the inventory list. +- `included_object_versions` (String) Object versions to include in the inventory list. If set to ``All``, the list includes all the object versions, which adds the version-related fields ``VersionId``, ``IsLatest``, and ``DeleteMarker`` to the list. If set to ``Current``, the list does not contain these version-related fields. - `schedule_frequency` (String) Specifies the schedule for generating inventory results. Optional: - `optional_fields` (List of String) Contains the optional fields that are included in the inventory results. -- `prefix` (String) The prefix that is prepended to all inventory results. +- `prefix` (String) Specifies the inventory filter prefix. ### Nested Schema for `inventory_configurations.destination` @@ -273,10 +300,12 @@ Required: - `bucket_arn` (String) The Amazon Resource Name (ARN) of the bucket to which data is exported. - `format` (String) Specifies the file format used when exporting data to Amazon S3. + *Allowed values*: ``CSV`` | ``ORC`` | ``Parquet`` Optional: -- `bucket_account_id` (String) The account ID that owns the destination S3 bucket. +- `bucket_account_id` (String) The account ID that owns the destination S3 bucket. If no account ID is provided, the owner is not validated before exporting data. + Although this value is optional, we strongly recommend that you set it to help prevent problems if the destination bucket ownership changes. - `prefix` (String) The prefix to use when exporting data. The prefix is prepended to all results. @@ -293,32 +322,33 @@ Required: Required: -- `status` (String) +- `status` (String) If ``Enabled``, the rule is currently being applied. If ``Disabled``, the rule is not currently being applied. Optional: -- `abort_incomplete_multipart_upload` (Attributes) Specifies the days since the initiation of an incomplete multipart upload that Amazon S3 will wait before permanently removing all parts of the upload. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--abort_incomplete_multipart_upload)) -- `expiration_date` (String) The date value in ISO 8601 format. The timezone is always UTC. (YYYY-MM-DDThh:mm:ssZ) -- `expiration_in_days` (Number) -- `expired_object_delete_marker` (Boolean) -- `id` (String) -- `noncurrent_version_expiration` (Attributes) Container for the expiration rule that describes when noncurrent objects are expired. If your bucket is versioning-enabled (or versioning is suspended), you can set this action to request that Amazon S3 expire noncurrent object versions at a specific period in the object's lifetime (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--noncurrent_version_expiration)) -- `noncurrent_version_expiration_in_days` (Number) -- `noncurrent_version_transition` (Attributes) Container for the transition rule that describes when noncurrent objects transition to the STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER_IR, GLACIER, or DEEP_ARCHIVE storage class. If your bucket is versioning-enabled (or versioning is suspended), you can set this action to request that Amazon S3 transition noncurrent object versions to the STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER_IR, GLACIER, or DEEP_ARCHIVE storage class at a specific period in the object's lifetime. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--noncurrent_version_transition)) -- `noncurrent_version_transitions` (Attributes List) (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--noncurrent_version_transitions)) -- `object_size_greater_than` (String) -- `object_size_less_than` (String) -- `prefix` (String) -- `tag_filters` (Attributes List) (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--tag_filters)) -- `transition` (Attributes) You must specify at least one of "TransitionDate" and "TransitionInDays" (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--transition)) -- `transitions` (Attributes List) (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--transitions)) +- `abort_incomplete_multipart_upload` (Attributes) Specifies a lifecycle rule that stops incomplete multipart uploads to an Amazon S3 bucket. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--abort_incomplete_multipart_upload)) +- `expiration_date` (String) Indicates when objects are deleted from Amazon S3 and Amazon S3 Glacier. The date value must be in ISO 8601 format. The time is always midnight UTC. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. +- `expiration_in_days` (Number) Indicates the number of days after creation when objects are deleted from Amazon S3 and Amazon S3 Glacier. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. +- `expired_object_delete_marker` (Boolean) Indicates whether Amazon S3 will remove a delete marker without any noncurrent versions. If set to true, the delete marker will be removed if there are no noncurrent versions. This cannot be specified with ``ExpirationInDays``, ``ExpirationDate``, or ``TagFilters``. +- `id` (String) Unique identifier for the rule. The value can't be longer than 255 characters. +- `noncurrent_version_expiration` (Attributes) Specifies when noncurrent object versions expire. Upon expiration, S3 permanently deletes the noncurrent object versions. You set this lifecycle configuration action on a bucket that has versioning enabled (or suspended) to request that S3 delete noncurrent object versions at a specific period in the object's lifetime. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--noncurrent_version_expiration)) +- `noncurrent_version_expiration_in_days` (Number) (Deprecated.) For buckets with versioning enabled (or suspended), specifies the time, in days, between when a new version of the object is uploaded to the bucket and when old versions of the object expire. When object versions expire, Amazon S3 permanently deletes them. If you specify a transition and expiration time, the expiration time must be later than the transition time. +- `noncurrent_version_transition` (Attributes) (Deprecated.) For buckets with versioning enabled (or suspended), specifies when non-current objects transition to a specified storage class. If you specify a transition and expiration time, the expiration time must be later than the transition time. If you specify this property, don't specify the ``NoncurrentVersionTransitions`` property. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--noncurrent_version_transition)) +- `noncurrent_version_transitions` (Attributes List) For buckets with versioning enabled (or suspended), one or more transition rules that specify when non-current objects transition to a specified storage class. If you specify a transition and expiration time, the expiration time must be later than the transition time. If you specify this property, don't specify the ``NoncurrentVersionTransition`` property. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--noncurrent_version_transitions)) +- `object_size_greater_than` (String) Specifies the minimum object size in bytes for this rule to apply to. Objects must be larger than this value in bytes. For more information about size based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide*. +- `object_size_less_than` (String) Specifies the maximum object size in bytes for this rule to apply to. Objects must be smaller than this value in bytes. For more information about sized based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide*. +- `prefix` (String) Object key prefix that identifies one or more objects to which this rule applies. + Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). +- `tag_filters` (Attributes List) Tags to use to identify a subset of objects to which the lifecycle rule applies. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--tag_filters)) +- `transition` (Attributes) (Deprecated.) Specifies when an object transitions to a specified storage class. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. If you specify this property, don't specify the ``Transitions`` property. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--transition)) +- `transitions` (Attributes List) One or more transition rules that specify when an object transitions to a specified storage class. If you specify an expiration and transition time, you must use the same time unit for both properties (either in days or by date). The expiration time must also be later than the transition time. If you specify this property, don't specify the ``Transition`` property. (see [below for nested schema](#nestedatt--lifecycle_configuration--rules--transitions)) ### Nested Schema for `lifecycle_configuration.rules.abort_incomplete_multipart_upload` Required: -- `days_after_initiation` (Number) Specifies the number of days after which Amazon S3 aborts an incomplete multipart upload. +- `days_after_initiation` (Number) Specifies the number of days after which Amazon S3 stops an incomplete multipart upload. @@ -326,11 +356,11 @@ Required: Required: -- `noncurrent_days` (Number) Specified the number of days an object is noncurrent before Amazon S3 can perform the associated action +- `noncurrent_days` (Number) Specifies the number of days an object is noncurrent before S3 can perform the associated action. For information about the noncurrent days calculations, see [How Amazon S3 Calculates When an Object Became Noncurrent](https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html#non-current-days-calculations) in the *Amazon S3 User Guide*. Optional: -- `newer_noncurrent_versions` (Number) Specified the number of newer noncurrent and current versions that must exists before performing the associated action +- `newer_noncurrent_versions` (Number) Specifies how many noncurrent versions S3 will retain. If there are this many more recent noncurrent versions, S3 will take the associated action. For more information about noncurrent versions, see [Lifecycle configuration elements](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intro-lifecycle-rules.html) in the *Amazon S3 User Guide*. @@ -339,11 +369,11 @@ Optional: Required: - `storage_class` (String) The class of storage used to store the object. -- `transition_in_days` (Number) Specifies the number of days an object is noncurrent before Amazon S3 can perform the associated action. +- `transition_in_days` (Number) Specifies the number of days an object is noncurrent before Amazon S3 can perform the associated action. For information about the noncurrent days calculations, see [How Amazon S3 Calculates How Long an Object Has Been Noncurrent](https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html#non-current-days-calculations) in the *Amazon S3 User Guide*. Optional: -- `newer_noncurrent_versions` (Number) Specified the number of newer noncurrent and current versions that must exists before performing the associated action +- `newer_noncurrent_versions` (Number) Specifies how many noncurrent versions S3 will retain. If there are this many more recent noncurrent versions, S3 will take the associated action. For more information about noncurrent versions, see [Lifecycle configuration elements](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intro-lifecycle-rules.html) in the *Amazon S3 User Guide*. @@ -352,11 +382,11 @@ Optional: Required: - `storage_class` (String) The class of storage used to store the object. -- `transition_in_days` (Number) Specifies the number of days an object is noncurrent before Amazon S3 can perform the associated action. +- `transition_in_days` (Number) Specifies the number of days an object is noncurrent before Amazon S3 can perform the associated action. For information about the noncurrent days calculations, see [How Amazon S3 Calculates How Long an Object Has Been Noncurrent](https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html#non-current-days-calculations) in the *Amazon S3 User Guide*. Optional: -- `newer_noncurrent_versions` (Number) Specified the number of newer noncurrent and current versions that must exists before performing the associated action +- `newer_noncurrent_versions` (Number) Specifies how many noncurrent versions S3 will retain. If there are this many more recent noncurrent versions, S3 will take the associated action. For more information about noncurrent versions, see [Lifecycle configuration elements](https://docs.aws.amazon.com/AmazonS3/latest/userguide/intro-lifecycle-rules.html) in the *Amazon S3 User Guide*. @@ -364,8 +394,8 @@ Optional: Required: -- `key` (String) -- `value` (String) +- `key` (String) The tag key. +- `value` (String) The tag value. @@ -373,12 +403,12 @@ Required: Required: -- `storage_class` (String) +- `storage_class` (String) The storage class to which you want the object to transition. Optional: -- `transition_date` (String) The date value in ISO 8601 format. The timezone is always UTC. (YYYY-MM-DDThh:mm:ssZ) -- `transition_in_days` (Number) +- `transition_date` (String) Indicates when objects are transitioned to the specified storage class. The date value must be in ISO 8601 format. The time is always midnight UTC. +- `transition_in_days` (Number) Indicates the number of days after creation when objects are transitioned to the specified storage class. The value must be a positive integer. @@ -386,12 +416,12 @@ Optional: Required: -- `storage_class` (String) +- `storage_class` (String) The storage class to which you want the object to transition. Optional: -- `transition_date` (String) The date value in ISO 8601 format. The timezone is always UTC. (YYYY-MM-DDThh:mm:ssZ) -- `transition_in_days` (Number) +- `transition_date` (String) Indicates when objects are transitioned to the specified storage class. The date value must be in ISO 8601 format. The time is always midnight UTC. +- `transition_in_days` (Number) Indicates the number of days after creation when objects are transitioned to the specified storage class. The value must be a positive integer. @@ -401,16 +431,18 @@ Optional: Optional: -- `destination_bucket_name` (String) The name of an Amazon S3 bucket where Amazon S3 store server access log files. You can store log files in any bucket that you own. By default, logs are stored in the bucket where the LoggingConfiguration property is defined. -- `log_file_prefix` (String) -- `target_object_key_format` (Attributes) Describes the key format for server access log file in the target bucket. You can choose between SimplePrefix and PartitionedPrefix. (see [below for nested schema](#nestedatt--logging_configuration--target_object_key_format)) +- `destination_bucket_name` (String) The name of the bucket where Amazon S3 should store server access log files. You can store log files in any bucket that you own. By default, logs are stored in the bucket where the ``LoggingConfiguration`` property is defined. +- `log_file_prefix` (String) A prefix for all log object keys. If you store log files from multiple Amazon S3 buckets in a single bucket, you can use a prefix to distinguish which log files came from which bucket. +- `target_object_key_format` (Attributes) Amazon S3 key format for log objects. Only one format, either PartitionedPrefix or SimplePrefix, is allowed. (see [below for nested schema](#nestedatt--logging_configuration--target_object_key_format)) ### Nested Schema for `logging_configuration.target_object_key_format` Optional: -- `partitioned_prefix` (Attributes) This format appends a time based prefix to the given log file prefix for delivering server access log file. (see [below for nested schema](#nestedatt--logging_configuration--target_object_key_format--partitioned_prefix)) +- `partitioned_prefix` (Attributes) Amazon S3 keys for log objects are partitioned in the following format: + ``[DestinationPrefix][SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]`` + PartitionedPrefix defaults to EventTime delivery when server access logs are delivered. (see [below for nested schema](#nestedatt--logging_configuration--target_object_key_format--partitioned_prefix)) - `simple_prefix` (String) This format defaults the prefix to the given log file prefix for delivering server access log file. @@ -418,7 +450,7 @@ Optional: Optional: -- `partition_date_source` (String) Date Source for creating a partitioned prefix. This can be event time or delivery time. +- `partition_date_source` (String) Specifies the partition date source for the partitioned prefix. PartitionDateSource can be EventTime or DeliveryTime. @@ -428,21 +460,21 @@ Optional: Required: -- `id` (String) +- `id` (String) The ID used to identify the metrics configuration. This can be any value you choose that helps you identify your metrics configuration. Optional: -- `access_point_arn` (String) -- `prefix` (String) -- `tag_filters` (Attributes List) (see [below for nested schema](#nestedatt--metrics_configurations--tag_filters)) +- `access_point_arn` (String) The access point that was used while performing operations on the object. The metrics configuration only includes objects that meet the filter's criteria. +- `prefix` (String) The prefix that an object must have to be included in the metrics results. +- `tag_filters` (Attributes List) Specifies a list of tag filters to use as a metrics configuration filter. The metrics configuration includes only objects that meet the filter's criteria. (see [below for nested schema](#nestedatt--metrics_configurations--tag_filters)) ### Nested Schema for `metrics_configurations.tag_filters` Required: -- `key` (String) -- `value` (String) +- `key` (String) The tag key. +- `value` (String) The tag value. @@ -451,17 +483,17 @@ Required: Optional: -- `event_bridge_configuration` (Attributes) Describes the Amazon EventBridge notification configuration for an Amazon S3 bucket. (see [below for nested schema](#nestedatt--notification_configuration--event_bridge_configuration)) -- `lambda_configurations` (Attributes List) (see [below for nested schema](#nestedatt--notification_configuration--lambda_configurations)) -- `queue_configurations` (Attributes List) (see [below for nested schema](#nestedatt--notification_configuration--queue_configurations)) -- `topic_configurations` (Attributes List) (see [below for nested schema](#nestedatt--notification_configuration--topic_configurations)) +- `event_bridge_configuration` (Attributes) Enables delivery of events to Amazon EventBridge. (see [below for nested schema](#nestedatt--notification_configuration--event_bridge_configuration)) +- `lambda_configurations` (Attributes List) Describes the LAMlong functions to invoke and the events for which to invoke them. (see [below for nested schema](#nestedatt--notification_configuration--lambda_configurations)) +- `queue_configurations` (Attributes List) The Amazon Simple Queue Service queues to publish messages to and the events for which to publish messages. (see [below for nested schema](#nestedatt--notification_configuration--queue_configurations)) +- `topic_configurations` (Attributes List) The topic to which notifications are sent and the events for which notifications are generated. (see [below for nested schema](#nestedatt--notification_configuration--topic_configurations)) ### Nested Schema for `notification_configuration.event_bridge_configuration` Optional: -- `event_bridge_enabled` (Boolean) Specifies whether to send notifications to Amazon EventBridge when events occur in an Amazon S3 bucket. +- `event_bridge_enabled` (Boolean) Enables delivery of events to Amazon EventBridge. @@ -469,12 +501,12 @@ Optional: Required: -- `event` (String) The Amazon S3 bucket event for which to invoke the AWS Lambda function. -- `function` (String) The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon S3 invokes when the specified event type occurs. +- `event` (String) The Amazon S3 bucket event for which to invoke the LAMlong function. For more information, see [Supported Event Types](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. +- `function` (String) The Amazon Resource Name (ARN) of the LAMlong function that Amazon S3 invokes when the specified event type occurs. Optional: -- `filter` (Attributes) The filtering rules that determine which objects invoke the AWS Lambda function. (see [below for nested schema](#nestedatt--notification_configuration--lambda_configurations--filter)) +- `filter` (Attributes) The filtering rules that determine which objects invoke the AWS Lambda function. For example, you can create a filter so that only image files with a ``.jpg`` extension invoke the function when they are added to the Amazon S3 bucket. (see [below for nested schema](#nestedatt--notification_configuration--lambda_configurations--filter)) ### Nested Schema for `notification_configuration.lambda_configurations.filter` @@ -488,15 +520,15 @@ Required: Required: -- `rules` (Attributes List) (see [below for nested schema](#nestedatt--notification_configuration--lambda_configurations--filter--s3_key--rules)) +- `rules` (Attributes List) A list of containers for the key-value pair that defines the criteria for the filter rule. (see [below for nested schema](#nestedatt--notification_configuration--lambda_configurations--filter--s3_key--rules)) ### Nested Schema for `notification_configuration.lambda_configurations.filter.s3_key.rules` Required: -- `name` (String) -- `value` (String) +- `name` (String) The object key name prefix or suffix identifying one or more objects to which the filtering rule applies. The maximum length is 1,024 characters. Overlapping prefixes and suffixes are not supported. For more information, see [Configuring Event Notifications](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. +- `value` (String) The value that the filter searches for in object key names. @@ -507,12 +539,12 @@ Required: Required: -- `event` (String) The Amazon S3 bucket event about which you want to publish messages to Amazon SQS. -- `queue` (String) The Amazon Resource Name (ARN) of the Amazon SQS queue to which Amazon S3 publishes a message when it detects events of the specified type. +- `event` (String) The Amazon S3 bucket event about which you want to publish messages to Amazon SQS. For more information, see [Supported Event Types](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. +- `queue` (String) The Amazon Resource Name (ARN) of the Amazon SQS queue to which Amazon S3 publishes a message when it detects events of the specified type. FIFO queues are not allowed when enabling an SQS queue as the event notification destination. Optional: -- `filter` (Attributes) The filtering rules that determine which objects trigger notifications. (see [below for nested schema](#nestedatt--notification_configuration--queue_configurations--filter)) +- `filter` (Attributes) The filtering rules that determine which objects trigger notifications. For example, you can create a filter so that Amazon S3 sends notifications only when image files with a ``.jpg`` extension are added to the bucket. For more information, see [Configuring event notifications using object key name filtering](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/notification-how-to-filtering.html) in the *Amazon S3 User Guide*. (see [below for nested schema](#nestedatt--notification_configuration--queue_configurations--filter)) ### Nested Schema for `notification_configuration.queue_configurations.filter` @@ -526,15 +558,15 @@ Required: Required: -- `rules` (Attributes List) (see [below for nested schema](#nestedatt--notification_configuration--queue_configurations--filter--s3_key--rules)) +- `rules` (Attributes List) A list of containers for the key-value pair that defines the criteria for the filter rule. (see [below for nested schema](#nestedatt--notification_configuration--queue_configurations--filter--s3_key--rules)) ### Nested Schema for `notification_configuration.queue_configurations.filter.s3_key.rules` Required: -- `name` (String) -- `value` (String) +- `name` (String) The object key name prefix or suffix identifying one or more objects to which the filtering rule applies. The maximum length is 1,024 characters. Overlapping prefixes and suffixes are not supported. For more information, see [Configuring Event Notifications](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. +- `value` (String) The value that the filter searches for in object key names. @@ -545,12 +577,12 @@ Required: Required: -- `event` (String) The Amazon S3 bucket event about which to send notifications. +- `event` (String) The Amazon S3 bucket event about which to send notifications. For more information, see [Supported Event Types](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. - `topic` (String) The Amazon Resource Name (ARN) of the Amazon SNS topic to which Amazon S3 publishes a message when it detects events of the specified type. Optional: -- `filter` (Attributes) The filtering rules that determine for which objects to send notifications. (see [below for nested schema](#nestedatt--notification_configuration--topic_configurations--filter)) +- `filter` (Attributes) The filtering rules that determine for which objects to send notifications. For example, you can create a filter so that Amazon S3 sends notifications only when image files with a ``.jpg`` extension are added to the bucket. (see [below for nested schema](#nestedatt--notification_configuration--topic_configurations--filter)) ### Nested Schema for `notification_configuration.topic_configurations.filter` @@ -564,15 +596,15 @@ Required: Required: -- `rules` (Attributes List) (see [below for nested schema](#nestedatt--notification_configuration--topic_configurations--filter--s3_key--rules)) +- `rules` (Attributes List) A list of containers for the key-value pair that defines the criteria for the filter rule. (see [below for nested schema](#nestedatt--notification_configuration--topic_configurations--filter--s3_key--rules)) ### Nested Schema for `notification_configuration.topic_configurations.filter.s3_key.rules` Required: -- `name` (String) -- `value` (String) +- `name` (String) The object key name prefix or suffix identifying one or more objects to which the filtering rule applies. The maximum length is 1,024 characters. Overlapping prefixes and suffixes are not supported. For more information, see [Configuring Event Notifications](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide*. +- `value` (String) The value that the filter searches for in object key names. @@ -584,24 +616,24 @@ Required: Optional: -- `object_lock_enabled` (String) -- `rule` (Attributes) The Object Lock rule in place for the specified object. (see [below for nested schema](#nestedatt--object_lock_configuration--rule)) +- `object_lock_enabled` (String) Indicates whether this bucket has an Object Lock configuration enabled. Enable ``ObjectLockEnabled`` when you apply ``ObjectLockConfiguration`` to a bucket. +- `rule` (Attributes) Specifies the Object Lock rule for the specified object. Enable this rule when you apply ``ObjectLockConfiguration`` to a bucket. If Object Lock is turned on, bucket settings require both ``Mode`` and a period of either ``Days`` or ``Years``. You cannot specify ``Days`` and ``Years`` at the same time. For more information, see [ObjectLockRule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-objectlockrule.html) and [DefaultRetention](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-defaultretention.html). (see [below for nested schema](#nestedatt--object_lock_configuration--rule)) ### Nested Schema for `object_lock_configuration.rule` Optional: -- `default_retention` (Attributes) The default retention period that you want to apply to new objects placed in the specified bucket. (see [below for nested schema](#nestedatt--object_lock_configuration--rule--default_retention)) +- `default_retention` (Attributes) The default Object Lock retention mode and period that you want to apply to new objects placed in the specified bucket. If Object Lock is turned on, bucket settings require both ``Mode`` and a period of either ``Days`` or ``Years``. You cannot specify ``Days`` and ``Years`` at the same time. For more information about allowable values for mode and period, see [DefaultRetention](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-defaultretention.html). (see [below for nested schema](#nestedatt--object_lock_configuration--rule--default_retention)) ### Nested Schema for `object_lock_configuration.rule.default_retention` Optional: -- `days` (Number) -- `mode` (String) -- `years` (Number) +- `days` (Number) The number of days that you want to specify for the default retention period. If Object Lock is turned on, you must specify ``Mode`` and specify either ``Days`` or ``Years``. +- `mode` (String) The default Object Lock retention mode you want to apply to new objects placed in the specified bucket. If Object Lock is turned on, you must specify ``Mode`` and specify either ``Days`` or ``Years``. +- `years` (Number) The number of years that you want to specify for the default retention period. If Object Lock is turned on, you must specify ``Mode`` and specify either ``Days`` or ``Years``. @@ -611,7 +643,7 @@ Optional: Required: -- `rules` (Attributes List) (see [below for nested schema](#nestedatt--ownership_controls--rules)) +- `rules` (Attributes List) Specifies the container element for Object Ownership rules. (see [below for nested schema](#nestedatt--ownership_controls--rules)) ### Nested Schema for `ownership_controls.rules` @@ -627,16 +659,18 @@ Optional: Optional: -- `block_public_acls` (Boolean) Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to TRUE causes the following behavior: -- PUT Bucket acl and PUT Object acl calls fail if the specified ACL is public. - - PUT Object calls fail if the request includes a public ACL. -Enabling this setting doesn't affect existing policies or ACLs. -- `block_public_policy` (Boolean) Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to TRUE causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. -Enabling this setting doesn't affect existing bucket policies. -- `ignore_public_acls` (Boolean) Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. -Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. -- `restrict_public_buckets` (Boolean) Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to TRUE restricts access to this bucket to only AWS services and authorized users within this account if the bucket has a public policy. -Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked. +- `block_public_acls` (Boolean) Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to ``TRUE`` causes the following behavior: + + PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public. + + PUT Object calls fail if the request includes a public ACL. + + PUT Bucket calls fail if the request includes a public ACL. + + Enabling this setting doesn't affect existing policies or ACLs. +- `block_public_policy` (Boolean) Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to ``TRUE`` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. + Enabling this setting doesn't affect existing bucket policies. +- `ignore_public_acls` (Boolean) Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to ``TRUE`` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. + Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. +- `restrict_public_buckets` (Boolean) Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to ``TRUE`` restricts access to this bucket to only AWS-service principals and authorized users within this account if the bucket has a public policy. + Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked. @@ -644,48 +678,55 @@ Enabling this setting doesn't affect previously stored bucket policies, except t Required: -- `role` (String) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that Amazon S3 assumes when replicating objects. -- `rules` (Attributes List) A container for one or more replication rules. (see [below for nested schema](#nestedatt--replication_configuration--rules)) +- `role` (String) The Amazon Resource Name (ARN) of the IAMlong (IAM) role that Amazon S3 assumes when replicating objects. For more information, see [How to Set Up Replication](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-how-setup.html) in the *Amazon S3 User Guide*. +- `rules` (Attributes List) A container for one or more replication rules. A replication configuration must have at least one rule and can contain a maximum of 1,000 rules. (see [below for nested schema](#nestedatt--replication_configuration--rules)) ### Nested Schema for `replication_configuration.rules` Required: -- `destination` (Attributes) Specifies which Amazon S3 bucket to store replicated objects in and their storage class. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination)) +- `destination` (Attributes) A container for information about the replication destination and its configurations including enabling the S3 Replication Time Control (S3 RTC). (see [below for nested schema](#nestedatt--replication_configuration--rules--destination)) - `status` (String) Specifies whether the rule is enabled. Optional: -- `delete_marker_replication` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--delete_marker_replication)) -- `filter` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--filter)) -- `id` (String) A unique identifier for the rule. -- `prefix` (String) An object key name prefix that identifies the object or objects to which the rule applies. -- `priority` (Number) -- `source_selection_criteria` (Attributes) A container that describes additional filters for identifying the source objects that you want to replicate. (see [below for nested schema](#nestedatt--replication_configuration--rules--source_selection_criteria)) +- `delete_marker_replication` (Attributes) Specifies whether Amazon S3 replicates delete markers. If you specify a ``Filter`` in your replication configuration, you must also include a ``DeleteMarkerReplication`` element. If your ``Filter`` includes a ``Tag`` element, the ``DeleteMarkerReplication`` ``Status`` must be set to Disabled, because Amazon S3 does not support replicating delete markers for tag-based rules. For an example configuration, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-config-min-rule-config). + For more information about delete marker replication, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/delete-marker-replication.html). + If you are using an earlier version of the replication configuration, Amazon S3 handles replication of delete markers differently. For more information, see [Backward Compatibility](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-backward-compat-considerations). (see [below for nested schema](#nestedatt--replication_configuration--rules--delete_marker_replication)) +- `filter` (Attributes) A filter that identifies the subset of objects to which the replication rule applies. A ``Filter`` must specify exactly one ``Prefix``, ``TagFilter``, or an ``And`` child element. The use of the filter field indicates that this is a V2 replication configuration. This field isn't supported in a V1 replication configuration. + V1 replication configuration only supports filtering by key prefix. To filter using a V1 replication configuration, add the ``Prefix`` directly as a child element of the ``Rule`` element. (see [below for nested schema](#nestedatt--replication_configuration--rules--filter)) +- `id` (String) A unique identifier for the rule. The maximum value is 255 characters. If you don't specify a value, AWS CloudFormation generates a random ID. When using a V2 replication configuration this property is capitalized as "ID". +- `prefix` (String) An object key name prefix that identifies the object or objects to which the rule applies. The maximum prefix length is 1,024 characters. To include all objects in a bucket, specify an empty string. To filter using a V1 replication configuration, add the ``Prefix`` directly as a child element of the ``Rule`` element. + Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). +- `priority` (Number) The priority indicates which rule has precedence whenever two or more replication rules conflict. Amazon S3 will attempt to replicate objects according to all replication rules. However, if there are two or more rules with the same destination bucket, then objects will be replicated according to the rule with the highest priority. The higher the number, the higher the priority. + For more information, see [Replication](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication.html) in the *Amazon S3 User Guide*. +- `source_selection_criteria` (Attributes) A container that describes additional filters for identifying the source objects that you want to replicate. You can choose to enable or disable the replication of these objects. (see [below for nested schema](#nestedatt--replication_configuration--rules--source_selection_criteria)) ### Nested Schema for `replication_configuration.rules.destination` Required: -- `bucket` (String) +- `bucket` (String) The Amazon Resource Name (ARN) of the bucket where you want Amazon S3 to store the results. Optional: -- `access_control_translation` (Attributes) Specify this only in a cross-account scenario (where source and destination bucket owners are not the same), and you want to change replica ownership to the AWS account that owns the destination bucket. If this is not specified in the replication configuration, the replicas are owned by same AWS account that owns the source object. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--access_control_translation)) -- `account` (String) -- `encryption_configuration` (Attributes) Specifies encryption-related information for an Amazon S3 bucket that is a destination for replicated objects. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--encryption_configuration)) -- `metrics` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--metrics)) -- `replication_time` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--replication_time)) -- `storage_class` (String) The storage class to use when replicating objects, such as S3 Standard or reduced redundancy. +- `access_control_translation` (Attributes) Specify this only in a cross-account scenario (where source and destination bucket owners are not the same), and you want to change replica ownership to the AWS-account that owns the destination bucket. If this is not specified in the replication configuration, the replicas are owned by same AWS-account that owns the source object. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--access_control_translation)) +- `account` (String) Destination bucket owner account ID. In a cross-account scenario, if you direct Amazon S3 to change replica ownership to the AWS-account that owns the destination bucket by specifying the ``AccessControlTranslation`` property, this is the account ID of the destination bucket owner. For more information, see [Cross-Region Replication Additional Configuration: Change Replica Owner](https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-change-owner.html) in the *Amazon S3 User Guide*. + If you specify the ``AccessControlTranslation`` property, the ``Account`` property is required. +- `encryption_configuration` (Attributes) Specifies encryption-related information. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--encryption_configuration)) +- `metrics` (Attributes) A container specifying replication metrics-related settings enabling replication metrics and events. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--metrics)) +- `replication_time` (Attributes) A container specifying S3 Replication Time Control (S3 RTC), including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. Must be specified together with a ``Metrics`` block. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--replication_time)) +- `storage_class` (String) The storage class to use when replicating objects, such as S3 Standard or reduced redundancy. By default, Amazon S3 uses the storage class of the source object to create the object replica. + For valid values, see the ``StorageClass`` element of the [PUT Bucket replication](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html) action in the *Amazon S3 API Reference*. ### Nested Schema for `replication_configuration.rules.destination.storage_class` Required: -- `owner` (String) +- `owner` (String) Specifies the replica ownership. For default and valid values, see [PUT bucket replication](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html) in the *Amazon S3 API Reference*. @@ -693,7 +734,7 @@ Required: Required: -- `replica_kms_key_id` (String) Specifies the ID (Key ARN or Alias ARN) of the customer managed customer master key (CMK) stored in AWS Key Management Service (KMS) for the destination bucket. +- `replica_kms_key_id` (String) Specifies the ID (Key ARN or Alias ARN) of the customer managed AWS KMS key stored in AWS Key Management Service (KMS) for the destination bucket. Amazon S3 uses this key to encrypt replica objects. Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *Key Management Service Developer Guide*. @@ -701,18 +742,19 @@ Required: Required: -- `status` (String) +- `status` (String) Specifies whether the replication metrics are enabled. Optional: -- `event_threshold` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--storage_class--event_threshold)) +- `event_threshold` (Attributes) A container specifying the time threshold for emitting the ``s3:Replication:OperationMissedThreshold`` event. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--storage_class--event_threshold)) ### Nested Schema for `replication_configuration.rules.destination.storage_class.event_threshold` Required: -- `minutes` (Number) +- `minutes` (Number) Contains an integer specifying time in minutes. + Valid value: 15 @@ -721,15 +763,16 @@ Required: Required: -- `status` (String) -- `time` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--storage_class--time)) +- `status` (String) Specifies whether the replication time is enabled. +- `time` (Attributes) A container specifying the time by which replication should be complete for all objects and operations on objects. (see [below for nested schema](#nestedatt--replication_configuration--rules--destination--storage_class--time)) ### Nested Schema for `replication_configuration.rules.destination.storage_class.time` Required: -- `minutes` (Number) +- `minutes` (Number) Contains an integer specifying time in minutes. + Valid value: 15 @@ -739,7 +782,7 @@ Required: Optional: -- `status` (String) +- `status` (String) Indicates whether to replicate delete markers. Disabled by default. @@ -747,25 +790,29 @@ Optional: Optional: -- `and` (Attributes) (see [below for nested schema](#nestedatt--replication_configuration--rules--filter--and)) -- `prefix` (String) -- `tag_filter` (Attributes) Tags to use to identify a subset of objects for an Amazon S3 bucket. (see [below for nested schema](#nestedatt--replication_configuration--rules--filter--tag_filter)) +- `and` (Attributes) A container for specifying rule filters. The filters determine the subset of objects to which the rule applies. This element is required only if you specify more than one filter. For example: + + If you specify both a ``Prefix`` and a ``TagFilter``, wrap these filters in an ``And`` tag. + + If you specify a filter based on multiple tags, wrap the ``TagFilter`` elements in an ``And`` tag. (see [below for nested schema](#nestedatt--replication_configuration--rules--filter--and)) +- `prefix` (String) An object key name prefix that identifies the subset of objects to which the rule applies. + Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). +- `tag_filter` (Attributes) A container for specifying a tag key and value. + The rule applies only to objects that have the tag in their tag set. (see [below for nested schema](#nestedatt--replication_configuration--rules--filter--tag_filter)) ### Nested Schema for `replication_configuration.rules.filter.tag_filter` Optional: -- `prefix` (String) -- `tag_filters` (Attributes List) (see [below for nested schema](#nestedatt--replication_configuration--rules--filter--tag_filter--tag_filters)) +- `prefix` (String) An object key name prefix that identifies the subset of objects to which the rule applies. +- `tag_filters` (Attributes List) An array of tags containing key and value pairs. (see [below for nested schema](#nestedatt--replication_configuration--rules--filter--tag_filter--tag_filters)) ### Nested Schema for `replication_configuration.rules.filter.tag_filter.tag_filters` Required: -- `key` (String) -- `value` (String) +- `key` (String) The tag key. +- `value` (String) The tag value. @@ -774,8 +821,8 @@ Required: Required: -- `key` (String) -- `value` (String) +- `key` (String) The tag key. +- `value` (String) The tag value. @@ -793,6 +840,7 @@ Optional: Required: - `status` (String) Specifies whether Amazon S3 replicates modifications on replicas. + *Allowed values*: ``Enabled`` | ``Disabled`` @@ -800,7 +848,7 @@ Required: Required: -- `status` (String) Specifies whether Amazon S3 replicates objects created with server-side encryption using a customer master key (CMK) stored in AWS Key Management Service. +- `status` (String) Specifies whether Amazon S3 replicates objects created with server-side encryption using an AWS KMS key stored in AWS Key Management Service. @@ -811,8 +859,8 @@ Required: Required: -- `key` (String) -- `value` (String) +- `key` (String) Name of the object key. +- `value` (String) Value of the tag. @@ -830,8 +878,9 @@ Optional: - `error_document` (String) The name of the error document for the website. - `index_document` (String) The name of the index document for the website. -- `redirect_all_requests_to` (Attributes) Specifies the redirect behavior of all requests to a website endpoint of an Amazon S3 bucket. (see [below for nested schema](#nestedatt--website_configuration--redirect_all_requests_to)) -- `routing_rules` (Attributes List) (see [below for nested schema](#nestedatt--website_configuration--routing_rules)) +- `redirect_all_requests_to` (Attributes) The redirect behavior for every request to this bucket's website endpoint. + If you specify this property, you can't specify any other property. (see [below for nested schema](#nestedatt--website_configuration--redirect_all_requests_to)) +- `routing_rules` (Attributes List) Rules that define when a redirect is applied and the redirect behavior. (see [below for nested schema](#nestedatt--website_configuration--routing_rules)) ### Nested Schema for `website_configuration.redirect_all_requests_to` @@ -854,7 +903,7 @@ Required: Optional: -- `routing_rule_condition` (Attributes) A container for describing a condition that must be met for the specified redirect to apply.You must specify at least one of HttpErrorCodeReturnedEquals and KeyPrefixEquals (see [below for nested schema](#nestedatt--website_configuration--routing_rules--routing_rule_condition)) +- `routing_rule_condition` (Attributes) A container for describing a condition that must be met for the specified redirect to apply. For example, 1. If request is for pages in the ``/docs`` folder, redirect to the ``/documents`` folder. 2. If request results in HTTP error 4xx, redirect request to another host where you might process the error. (see [below for nested schema](#nestedatt--website_configuration--routing_rules--routing_rule_condition)) ### Nested Schema for `website_configuration.routing_rules.redirect_rule` @@ -864,8 +913,10 @@ Optional: - `host_name` (String) The host name to use in the redirect request. - `http_redirect_code` (String) The HTTP redirect code to use on the response. Not required if one of the siblings is present. - `protocol` (String) Protocol to use when redirecting requests. The default is the protocol that is used in the original request. -- `replace_key_prefix_with` (String) The object key prefix to use in the redirect request. -- `replace_key_with` (String) The specific object key to use in the redirect request.d +- `replace_key_prefix_with` (String) The object key prefix to use in the redirect request. For example, to redirect requests for all pages with prefix ``docs/`` (objects in the ``docs/`` folder) to ``documents/``, you can set a condition block with ``KeyPrefixEquals`` set to ``docs/`` and in the Redirect set ``ReplaceKeyPrefixWith`` to ``/documents``. Not required if one of the siblings is present. Can be present only if ``ReplaceKeyWith`` is not provided. + Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). +- `replace_key_with` (String) The specific object key to use in the redirect request. For example, redirect request to ``error.html``. Not required if one of the siblings is present. Can be present only if ``ReplaceKeyPrefixWith`` is not provided. + Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints). @@ -873,8 +924,10 @@ Optional: Optional: -- `http_error_code_returned_equals` (String) The HTTP error code when the redirect is applied. -- `key_prefix_equals` (String) The object key name prefix when the redirect is applied. +- `http_error_code_returned_equals` (String) The HTTP error code when the redirect is applied. In the event of an error, if the error code equals this value, then the specified redirect is applied. + Required when parent element ``Condition`` is specified and sibling ``KeyPrefixEquals`` is not specified. If both are specified, then both must be true for the redirect to be applied. +- `key_prefix_equals` (String) The object key name prefix when the redirect is applied. For example, to redirect requests for ``ExamplePage.html``, the key prefix will be ``ExamplePage.html``. To redirect request for all pages with the prefix ``docs/``, the key prefix will be ``/docs``, which identifies all objects in the docs/ folder. + Required when the parent element ``Condition`` is specified and sibling ``HttpErrorCodeReturnedEquals`` is not specified. If both conditions are specified, both must be true for the redirect to be applied. ## Import diff --git a/docs/resources/s3_bucket_policy.md b/docs/resources/s3_bucket_policy.md index 0cba64e3e4..67990aeeb3 100644 --- a/docs/resources/s3_bucket_policy.md +++ b/docs/resources/s3_bucket_policy.md @@ -2,12 +2,22 @@ page_title: "awscc_s3_bucket_policy Resource - terraform-provider-awscc" subcategory: "" description: |- - Resource Type definition for AWS::S3::BucketPolicy + Applies an Amazon S3 bucket policy to an Amazon S3 bucket. If you are using an identity other than the root user of the AWS-account that owns the bucket, the calling identity must have the PutBucketPolicy permissions on the specified bucket and belong to the bucket owner's account in order to use this operation. + If you don't have PutBucketPolicy permissions, Amazon S3 returns a 403 Access Denied error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not Allowed error. + As a security precaution, the root user of the AWS-account that owns a bucket can always use this operation, even if the policy explicitly denies the root user the ability to perform this action. + For more information, see Bucket policy examples https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html. + The following operations are related to PutBucketPolicy: + + [Create --- # awscc_s3_bucket_policy (Resource) -Resource Type definition for AWS::S3::BucketPolicy +Applies an Amazon S3 bucket policy to an Amazon S3 bucket. If you are using an identity other than the root user of the AWS-account that owns the bucket, the calling identity must have the ``PutBucketPolicy`` permissions on the specified bucket and belong to the bucket owner's account in order to use this operation. + If you don't have ``PutBucketPolicy`` permissions, Amazon S3 returns a ``403 Access Denied`` error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a ``405 Method Not Allowed`` error. + As a security precaution, the root user of the AWS-account that owns a bucket can always use this operation, even if the policy explicitly denies the root user the ability to perform this action. + For more information, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html). + The following operations are related to ``PutBucketPolicy``: + + [Create ## Example Usage @@ -77,7 +87,7 @@ resource "awscc_s3_bucket" "example" { ### Required - `bucket` (String) The name of the Amazon S3 bucket to which the policy applies. -- `policy_document` (String) A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. +- `policy_document` (String) A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy [PolicyDocument](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument) resource description in this guide and [Access Policy Language Overview](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html) in the *Amazon S3 User Guide*. ### Read-Only diff --git a/docs/resources/sagemaker_feature_group.md b/docs/resources/sagemaker_feature_group.md index a4700232c0..744b2b7f5c 100644 --- a/docs/resources/sagemaker_feature_group.md +++ b/docs/resources/sagemaker_feature_group.md @@ -90,6 +90,7 @@ Optional: - `enable_online_store` (Boolean) - `security_config` (Attributes) (see [below for nested schema](#nestedatt--online_store_config--security_config)) - `storage_type` (String) +- `ttl_duration` (Attributes) TTL configuration of the feature group (see [below for nested schema](#nestedatt--online_store_config--ttl_duration)) ### Nested Schema for `online_store_config.security_config` @@ -99,6 +100,15 @@ Optional: - `kms_key_id` (String) + +### Nested Schema for `online_store_config.ttl_duration` + +Optional: + +- `unit` (String) Unit of ttl configuration +- `value` (Number) Value of ttl configuration + + ### Nested Schema for `tags` diff --git a/docs/resources/secretsmanager_secret.md b/docs/resources/secretsmanager_secret.md index 39148e8b99..30adae71cd 100644 --- a/docs/resources/secretsmanager_secret.md +++ b/docs/resources/secretsmanager_secret.md @@ -2,12 +2,20 @@ page_title: "awscc_secretsmanager_secret Resource - terraform-provider-awscc" subcategory: "" description: |- - Resource Type definition for AWS::SecretsManager::Secret + Creates a new secret. A secret can be a password, a set of credentials such as a user name and password, an OAuth token, or other secret information that you store in an encrypted form in Secrets Manager. + For RDS master user credentials, see AWS::RDS::DBCluster MasterUserSecret https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html. + To retrieve a secret in a CFNshort template, use a dynamic reference. For more information, see Retrieve a secret in an resource https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html. + A common scenario is to first create a secret with GenerateSecretString, which generates a password, and then use a dynamic reference to retrieve the username and password from the secret to use as credentials for a new database. See the example Creating a Redshift cluster and a secret for the admin credentials. + For information about creating a secret in the c --- # awscc_secretsmanager_secret (Resource) -Resource Type definition for AWS::SecretsManager::Secret +Creates a new secret. A *secret* can be a password, a set of credentials such as a user name and password, an OAuth token, or other secret information that you store in an encrypted form in Secrets Manager. + For RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html). + To retrieve a secret in a CFNshort template, use a *dynamic reference*. For more information, see [Retrieve a secret in an resource](https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html). + A common scenario is to first create a secret with ``GenerateSecretString``, which generates a password, and then use a dynamic reference to retrieve the username and password from the secret to use as credentials for a new database. See the example *Creating a Redshift cluster and a secret for the admin credentials*. + For information about creating a secret in the c ## Example Usage @@ -42,33 +50,43 @@ resource "awscc_secretsmanager_secret" "example_replica" { ### Optional -- `description` (String) (Optional) Specifies a user-provided description of the secret. -- `generate_secret_string` (Attributes) (Optional) Specifies text data that you want to encrypt and store in this new version of the secret. (see [below for nested schema](#nestedatt--generate_secret_string)) -- `kms_key_id` (String) (Optional) Specifies the ARN, Key ID, or alias of the AWS KMS customer master key (CMK) used to encrypt the SecretString. -- `name` (String) The friendly name of the secret. You can use forward slashes in the name to represent a path hierarchy. -- `replica_regions` (Attributes List) (Optional) A list of ReplicaRegion objects. The ReplicaRegion type consists of a Region (required) and the KmsKeyId which can be an ARN, Key ID, or Alias. (see [below for nested schema](#nestedatt--replica_regions)) -- `secret_string` (String) (Optional) Specifies text data that you want to encrypt and store in this new version of the secret. -- `tags` (Attributes List) The list of user-defined tags associated with the secret. Use tags to manage your AWS resources. For additional information about tags, see TagResource. (see [below for nested schema](#nestedatt--tags)) +- `description` (String) The description of the secret. +- `generate_secret_string` (Attributes) A structure that specifies how to generate a password to encrypt and store in the secret. To include a specific string in the secret, use ``SecretString`` instead. If you omit both ``GenerateSecretString`` and ``SecretString``, you create an empty secret. When you make a change to this property, a new secret version is created. + We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support. (see [below for nested schema](#nestedatt--generate_secret_string)) +- `kms_key_id` (String) The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. An alias is always prefixed by ``alias/``, for example ``alias/aws/secretsmanager``. For more information, see [About aliases](https://docs.aws.amazon.com/kms/latest/developerguide/alias-about.html). + To use a KMS key in a different account, use the key ARN or the alias ARN. + If you don't specify this value, then Secrets Manager uses the key ``aws/secretsmanager``. If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. + If the secret is in a different AWS account from the credentials calling the API, then you can't use ``aws/secretsmanager`` to encrypt the secret, and you must create and use a customer managed KMS key. +- `name` (String) The name of the new secret. + The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@- + Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN. +- `replica_regions` (Attributes List) A custom type that specifies a ``Region`` and the ``KmsKeyId`` for a replica secret. (see [below for nested schema](#nestedatt--replica_regions)) +- `secret_string` (String) The text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use ``GenerateSecretString`` instead. If you omit both ``GenerateSecretString`` and ``SecretString``, you create an empty secret. When you make a change to this property, a new secret version is created. +- `tags` (Attributes List) A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example: + ``[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]`` + Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc". + Stack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret. + If you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns an ``Access Denied`` error. For more information, see [Control access to secrets using tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac) and [Limit access to identities with tags that match secrets' tags](https://docs.aws.amazo (see [below for nested schema](#nestedatt--tags)) ### Read-Only -- `id` (String) secret Id, the Arn of the resource. +- `id` (String) The ID of this resource. ### Nested Schema for `generate_secret_string` Optional: -- `exclude_characters` (String) A string that excludes characters in the generated password. By default, all characters from the included sets can be used. The string can be a minimum length of 0 characters and a maximum length of 7168 characters. -- `exclude_lowercase` (Boolean) Specifies the generated password should not include lowercase letters. By default, ecrets Manager disables this parameter, and the generated password can include lowercase False, and the generated password can include lowercase letters. -- `exclude_numbers` (Boolean) Specifies that the generated password should exclude digits. By default, Secrets Manager does not enable the parameter, False, and the generated password can include digits. -- `exclude_punctuation` (Boolean) Specifies that the generated password should not include punctuation characters. The default if you do not include this switch parameter is that punctuation characters can be included. -- `exclude_uppercase` (Boolean) Specifies that the generated password should not include uppercase letters. The default behavior is False, and the generated password can include uppercase letters. -- `generate_string_key` (String) The JSON key name used to add the generated password to the JSON structure specified by the SecretStringTemplate parameter. If you specify this parameter, then you must also specify SecretStringTemplate. -- `include_space` (Boolean) Specifies that the generated password can include the space character. By default, Secrets Manager disables this parameter, and the generated password doesn't include space -- `password_length` (Number) The desired length of the generated password. The default value if you do not include this parameter is 32 characters. -- `require_each_included_type` (Boolean) Specifies whether the generated password must include at least one of every allowed character type. By default, Secrets Manager enables this parameter, and the generated password includes at least one of every character type. -- `secret_string_template` (String) A properly structured JSON string that the generated password can be added to. If you specify this parameter, then you must also specify GenerateStringKey. +- `exclude_characters` (String) A string of the characters that you don't want in the password. +- `exclude_lowercase` (Boolean) Specifies whether to exclude lowercase letters from the password. If you don't include this switch, the password can contain lowercase letters. +- `exclude_numbers` (Boolean) Specifies whether to exclude numbers from the password. If you don't include this switch, the password can contain numbers. +- `exclude_punctuation` (Boolean) Specifies whether to exclude the following punctuation characters from the password: ``! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~``. If you don't include this switch, the password can contain punctuation. +- `exclude_uppercase` (Boolean) Specifies whether to exclude uppercase letters from the password. If you don't include this switch, the password can contain uppercase letters. +- `generate_string_key` (String) The JSON key name for the key/value pair, where the value is the generated password. This pair is added to the JSON structure specified by the ``SecretStringTemplate`` parameter. If you specify this parameter, then you must also specify ``SecretStringTemplate``. +- `include_space` (Boolean) Specifies whether to include the space character. If you include this switch, the password can contain space characters. +- `password_length` (Number) The length of the password. If you don't include this parameter, the default length is 32 characters. +- `require_each_included_type` (Boolean) Specifies whether to include at least one upper and lowercase letter, one number, and one punctuation. If you don't include this switch, the password contains at least one of every character type. +- `secret_string_template` (String) A template that the generated string must match. When you make a change to this property, a new secret version is created. @@ -76,11 +94,11 @@ Optional: Required: -- `region` (String) (Optional) A string that represents a Region, for example "us-east-1". +- `region` (String) A string that represents a ``Region``, for example "us-east-1". Optional: -- `kms_key_id` (String) The ARN, key ID, or alias of the KMS key to encrypt the secret. If you don't include this field, Secrets Manager uses aws/secretsmanager. +- `kms_key_id` (String) The ARN, key ID, or alias of the KMS key to encrypt the secret. If you don't include this field, Secrets Manager uses ``aws/secretsmanager``. @@ -88,8 +106,8 @@ Optional: Required: -- `key` (String) The value for the tag. You can specify a value that's 1 to 256 characters in length. -- `value` (String) The key name of the tag. You can specify a value that's 1 to 128 Unicode characters in length and can't be prefixed with aws. +- `key` (String) The key identifier, or name, of the tag. +- `value` (String) The string value associated with the key of the tag. ## Import diff --git a/docs/resources/securityhub_standard.md b/docs/resources/securityhub_standard.md index 7549e77d4a..e28e9e1ded 100644 --- a/docs/resources/securityhub_standard.md +++ b/docs/resources/securityhub_standard.md @@ -2,12 +2,16 @@ page_title: "awscc_securityhub_standard Resource - terraform-provider-awscc" subcategory: "" description: |- - The AWS::SecurityHub::Standard resource represents the implementation of an individual AWS Security Hub Standard in your account. It requires you have SecurityHub enabled before you can enable the Standard. + The AWS::SecurityHub::Standard resource specifies the enablement of a security standard. The standard is identified by the StandardsArn property. To view a list of ASH standards and their Amazon Resource Names (ARNs), use the DescribeStandards https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html API operation. + You must create a separate AWS::SecurityHub::Standard resource for each standard that you want to enable. + For more information about ASH standards, see standards reference https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html in the User Guide. --- # awscc_securityhub_standard (Resource) -The AWS::SecurityHub::Standard resource represents the implementation of an individual AWS Security Hub Standard in your account. It requires you have SecurityHub enabled before you can enable the Standard. +The ``AWS::SecurityHub::Standard`` resource specifies the enablement of a security standard. The standard is identified by the ``StandardsArn`` property. To view a list of ASH standards and their Amazon Resource Names (ARNs), use the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation. + You must create a separate ``AWS::SecurityHub::Standard`` resource for each standard that you want to enable. + For more information about ASH standards, see [standards reference](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html) in the *User Guide*. ## Example Usage @@ -122,27 +126,28 @@ resource "awscc_securityhub_standard" "nist" { ### Required -- `standards_arn` (String) The ARN of the Standard being enabled +- `standards_arn` (String) The ARN of the standard that you want to enable. To view a list of available ASH standards and their ARNs, use the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation. ### Optional -- `disabled_standards_controls` (Attributes List) StandardsControls to disable from this Standard. (see [below for nested schema](#nestedatt--disabled_standards_controls)) +- `disabled_standards_controls` (Attributes List) Specifies which controls are to be disabled in a standard. + *Maximum*: ``100`` (see [below for nested schema](#nestedatt--disabled_standards_controls)) ### Read-Only - `id` (String) Uniquely identifies the resource. -- `standards_subscription_arn` (String) The ARN of the StandardsSubscription for the account ID, region, and Standard. +- `standards_subscription_arn` (String) ### Nested Schema for `disabled_standards_controls` Required: -- `standards_control_arn` (String) the Arn for the standard control. +- `standards_control_arn` (String) The Amazon Resource Name (ARN) of the control. Optional: -- `reason` (String) the reason the standard control is disabled +- `reason` (String) A user-defined reason for changing a control's enablement status in a specified standard. If you are disabling a control, then this property is required. ## Import diff --git a/docs/resources/wafv2_logging_configuration.md b/docs/resources/wafv2_logging_configuration.md index ff58bc36c1..7b1d8c71a7 100644 --- a/docs/resources/wafv2_logging_configuration.md +++ b/docs/resources/wafv2_logging_configuration.md @@ -175,34 +175,11 @@ Required: Optional: -- `json_body` (Attributes) Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. (see [below for nested schema](#nestedatt--redacted_fields--json_body)) - `method` (String) Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - `query_string` (String) Inspect the query string. This is the part of a URL that appears after a ? character, if any. - `single_header` (Attributes) Inspect a single header. Provide the name of the header to inspect, for example, User-Agent or Referer. This setting isn't case sensitive. (see [below for nested schema](#nestedatt--redacted_fields--single_header)) - `uri_path` (String) Inspect the request URI path. This is the part of a web request that identifies a resource, for example, /images/daily-ad.jpg. - -### Nested Schema for `redacted_fields.json_body` - -Required: - -- `match_pattern` (Attributes) The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria. (see [below for nested schema](#nestedatt--redacted_fields--json_body--match_pattern)) -- `match_scope` (String) The parts of the JSON to match against using the MatchPattern. If you specify All, AWS WAF matches against keys and values. - -Optional: - -- `invalid_fallback_behavior` (String) What AWS WAF should do if it fails to completely parse the JSON body. - - -### Nested Schema for `redacted_fields.json_body.match_pattern` - -Optional: - -- `all` (String) Match all of the elements. See also MatchScope in JsonBody. You must specify either this setting or the IncludedPaths setting, but not both. -- `included_paths` (List of String) Match only the specified include paths. See also MatchScope in JsonBody. - - - ### Nested Schema for `redacted_fields.single_header` diff --git a/examples/resources/awscc_cognito_user_pool_risk_configuration_attachment/import.sh b/examples/resources/awscc_cognito_user_pool_risk_configuration_attachment/import.sh new file mode 100644 index 0000000000..37eeb4287b --- /dev/null +++ b/examples/resources/awscc_cognito_user_pool_risk_configuration_attachment/import.sh @@ -0,0 +1 @@ +$ terraform import awscc_cognito_user_pool_risk_configuration_attachment.example