diff --git a/apis/codebuild/2016-10-06/api-2.json b/apis/codebuild/2016-10-06/api-2.json index ec37192de83..58aa35bdf8b 100644 --- a/apis/codebuild/2016-10-06/api-2.json +++ b/apis/codebuild/2016-10-06/api-2.json @@ -2911,7 +2911,8 @@ "type":"string", "enum":[ "GITHUB_ORGANIZATION", - "GITHUB_GLOBAL" + "GITHUB_GLOBAL", + "GITLAB_GROUP" ] }, "WrapperBoolean":{"type":"boolean"}, diff --git a/apis/codebuild/2016-10-06/docs-2.json b/apis/codebuild/2016-10-06/docs-2.json index 9c165409e9c..cefb506ca73 100644 --- a/apis/codebuild/2016-10-06/docs-2.json +++ b/apis/codebuild/2016-10-06/docs-2.json @@ -1840,8 +1840,8 @@ "S3LogsConfig$location": "
The ARN of an S3 bucket and the path prefix for S3 logs. If your Amazon S3 bucket name is my-bucket
, and your path prefix is build-log
, then acceptable formats are my-bucket/build-log
or arn:aws:s3:::my-bucket/build-log
.
The Amazon Web Services account identifier of the owner of the Amazon S3 bucket. This allows report data to be exported to an Amazon S3 bucket that is owned by an account other than the account running the build.
", "S3ReportExportConfig$path": "The path to the exported report's raw data results.
", - "ScopeConfiguration$name": "The name of either the enterprise or organization that will send webhook events to CodeBuild, depending on if the webhook is a global or organization webhook respectively.
", - "ScopeConfiguration$domain": "The domain of the GitHub Enterprise organization. Note that this parameter is only required if your project's source type is GITHUB_ENTERPRISE
", + "ScopeConfiguration$name": "The name of either the group, enterprise, or organization that will send webhook events to CodeBuild, depending on the type of webhook.
", + "ScopeConfiguration$domain": "The domain of the GitHub Enterprise organization or the GitLab Self Managed group. Note that this parameter is only required if your project's source type is GITHUB_ENTERPRISE or GITLAB_SELF_MANAGED.
", "SourceAuth$resource": "The resource value that applies to the specified authorization type.
", "SourceCredentialsInfo$resource": "The connection ARN if your authType is CODECONNECTIONS or SECRETS_MANAGER.
", "StartBuildBatchInput$sourceVersion": "The version of the batch build input to be built, for this build only. If not specified, the latest version is used. If specified, the contents depends on the source provider:
The commit ID, branch, or Git tag to use.
The commit ID, pull request ID, branch name, or tag name that corresponds to the version of the source code you want to build. If a pull request ID is specified, it must use the format pr/pull-request-ID
(for example pr/25
). If a branch name is specified, the branch's HEAD commit ID is used. If not specified, the default branch's HEAD commit ID is used.
The commit ID, branch name, or tag name that corresponds to the version of the source code you want to build. If a branch name is specified, the branch's HEAD commit ID is used. If not specified, the default branch's HEAD commit ID is used.
The version ID of the object that represents the build input ZIP file to use.
If sourceVersion
is specified at the project level, then this sourceVersion
(at the build level) takes precedence.
For more information, see Source Version Sample with CodeBuild in the CodeBuild User Guide.
", @@ -2065,7 +2065,7 @@ "WebhookScopeType": { "base": null, "refs": { - "ScopeConfiguration$scope": "The type of scope for a GitHub webhook.
" + "ScopeConfiguration$scope": "The type of scope for a GitHub or GitLab webhook.
" } }, "WrapperBoolean": { diff --git a/apis/ecr/2015-09-21/api-2.json b/apis/ecr/2015-09-21/api-2.json index e7b69a39af4..b29ac6102c7 100644 --- a/apis/ecr/2015-09-21/api-2.json +++ b/apis/ecr/2015-09-21/api-2.json @@ -1333,7 +1333,9 @@ "status":{"shape":"Status"}, "title":{"shape":"Title"}, "type":{"shape":"Type"}, - "updatedAt":{"shape":"Date"} + "updatedAt":{"shape":"Date"}, + "fixAvailable":{"shape":"FixAvailable"}, + "exploitAvailable":{"shape":"ExploitAvailable"} } }, "EnhancedImageScanFindingList":{ @@ -1344,6 +1346,7 @@ "EvaluationTimestamp":{"type":"timestamp"}, "ExceptionMessage":{"type":"string"}, "ExpirationTimestamp":{"type":"timestamp"}, + "ExploitAvailable":{"type":"string"}, "FilePath":{"type":"string"}, "FindingArn":{"type":"string"}, "FindingDescription":{"type":"string"}, @@ -1364,6 +1367,8 @@ "key":{"shape":"FindingSeverity"}, "value":{"shape":"SeverityCount"} }, + "FixAvailable":{"type":"string"}, + "FixedInVersion":{"type":"string"}, "ForceFlag":{"type":"boolean"}, "GetAccountSettingRequest":{ "type":"structure", @@ -2931,7 +2936,8 @@ "packageManager":{"shape":"PackageManager"}, "release":{"shape":"Release"}, "sourceLayerHash":{"shape":"SourceLayerHash"}, - "version":{"shape":"Version"} + "version":{"shape":"Version"}, + "fixedInVersion":{"shape":"FixedInVersion"} } }, "VulnerablePackageName":{"type":"string"}, diff --git a/apis/ecr/2015-09-21/docs-2.json b/apis/ecr/2015-09-21/docs-2.json index 84d61d87bc7..8a79362c667 100644 --- a/apis/ecr/2015-09-21/docs-2.json +++ b/apis/ecr/2015-09-21/docs-2.json @@ -471,7 +471,7 @@ "EncryptionType": { "base": null, "refs": { - "EncryptionConfiguration$encryptionType": "The encryption type to use.
If you use the KMS
encryption type, the contents of the repository will be encrypted using server-side encryption with Key Management Service key stored in KMS. When you use KMS to encrypt your data, you can either use the default Amazon Web Services managed KMS key for Amazon ECR, or specify your own KMS key, which you already created.
If you use the KMS_DSSE
encryption type, the contents of the repository will be encrypted with two layers of encryption using server-side encryption with the KMS Management Service key stored in KMS. Similar to the KMS encryption type, you can either use the default Amazon Web Services managed KMS key for Amazon ECR, or specify your own KMS key, which you've already created.
If you use the AES256
encryption type, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts the images in the repository using an AES256 encryption algorithm. For more information, see Protecting data using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) in the Amazon Simple Storage Service Console Developer Guide.
The encryption type to use.
If you use the KMS
encryption type, the contents of the repository will be encrypted using server-side encryption with Key Management Service key stored in KMS. When you use KMS to encrypt your data, you can either use the default Amazon Web Services managed KMS key for Amazon ECR, or specify your own KMS key, which you already created.
If you use the KMS_DSSE
encryption type, the contents of the repository will be encrypted with two layers of encryption using server-side encryption with the KMS Management Service key stored in KMS. Similar to the KMS
encryption type, you can either use the default Amazon Web Services managed KMS key for Amazon ECR, or specify your own KMS key, which you've already created.
If you use the AES256
encryption type, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts the images in the repository using an AES256 encryption algorithm.
For more information, see Amazon ECR encryption at rest in the Amazon Elastic Container Registry User Guide.
", "EncryptionConfigurationForRepositoryCreationTemplate$encryptionType": "The encryption type to use.
If you use the KMS
encryption type, the contents of the repository will be encrypted using server-side encryption with Key Management Service key stored in KMS. When you use KMS to encrypt your data, you can either use the default Amazon Web Services managed KMS key for Amazon ECR, or specify your own KMS key, which you already created. For more information, see Protecting data using server-side encryption with an KMS key stored in Key Management Service (SSE-KMS) in the Amazon Simple Storage Service Console Developer Guide.
If you use the AES256
encryption type, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts the images in the repository using an AES256 encryption algorithm. For more information, see Protecting data using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) in the Amazon Simple Storage Service Console Developer Guide.
The Unix time in seconds and milliseconds when the authorization token expires. Authorization tokens are valid for 12 hours.
" } }, + "ExploitAvailable": { + "base": null, + "refs": { + "EnhancedImageScanFinding$exploitAvailable": "If a finding discovered in your environment has an exploit available.
" + } + }, "FilePath": { "base": null, "refs": { @@ -590,6 +596,18 @@ "ImageScanFindingsSummary$findingSeverityCounts": "The image vulnerability counts, sorted by severity.
" } }, + "FixAvailable": { + "base": null, + "refs": { + "EnhancedImageScanFinding$fixAvailable": "Details on whether a fix is available through a version update. This value can be YES
, NO
, or PARTIAL
. A PARTIAL
fix means that some, but not all, of the packages identified in the finding have fixes available through updated versions.
The version of the package that contains the vulnerability fix.
" + } + }, "ForceFlag": { "base": null, "refs": { diff --git a/apis/ecs/2014-11-13/docs-2.json b/apis/ecs/2014-11-13/docs-2.json index 7cf79786034..dd0ac7d017b 100644 --- a/apis/ecs/2014-11-13/docs-2.json +++ b/apis/ecs/2014-11-13/docs-2.json @@ -197,11 +197,11 @@ "base": null, "refs": { "ContainerDefinition$essential": "If the essential
parameter of a container is marked as true
, and that container fails or stops for any reason, all other containers that are part of the task are stopped. If the essential
parameter of a container is marked as false
, its failure doesn't affect the rest of the containers in a task. If this parameter is omitted, a container is assumed to be essential.
All tasks must have at least one essential container. If you have an application that's composed of multiple containers, group containers that are used for a common purpose into components, and separate the different components into multiple task definitions. For more information, see Application Architecture in the Amazon Elastic Container Service Developer Guide.
", - "ContainerDefinition$disableNetworking": "When this parameter is true, networking is off within the container. This parameter maps to NetworkDisabled
in the docker conainer create command.
This parameter is not supported for Windows containers.
When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root
user). This parameter maps to Privileged
in the the docker conainer create command and the --privileged
option to docker run
This parameter is not supported for Windows containers or tasks run on Fargate.
When this parameter is true, the container is given read-only access to its root file system. This parameter maps to ReadonlyRootfs
in the docker conainer create command and the --read-only
option to docker run.
This parameter is not supported for Windows containers.
When this parameter is true
, you can deploy containerized applications that require stdin
or a tty
to be allocated. This parameter maps to OpenStdin
in the docker conainer create command and the --interactive
option to docker run.
When this parameter is true
, a TTY is allocated. This parameter maps to Tty
in tthe docker conainer create command and the --tty
option to docker run.
When this parameter is true, networking is off within the container. This parameter maps to NetworkDisabled
in the docker container create command.
This parameter is not supported for Windows containers.
When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root
user). This parameter maps to Privileged
in the docker container create command and the --privileged
option to docker run
This parameter is not supported for Windows containers or tasks run on Fargate.
When this parameter is true, the container is given read-only access to its root file system. This parameter maps to ReadonlyRootfs
in the docker container create command and the --read-only
option to docker run.
This parameter is not supported for Windows containers.
When this parameter is true
, you can deploy containerized applications that require stdin
or a tty
to be allocated. This parameter maps to OpenStdin
in the docker container create command and the --interactive
option to docker run.
When this parameter is true
, a TTY is allocated. This parameter maps to Tty
in the docker container create command and the --tty
option to docker run.
Specifies whether a restart policy is enabled for the container.
", "DeleteServiceRequest$force": "If true
, allows you to delete a service even if it wasn't scaled down to zero tasks. It's only necessary to use this if the service uses the REPLICA
scheduling strategy.
If true
, you can delete a task set even if it hasn't been scaled down to zero.
The exit code returned from the container.
", - "ContainerDefinition$memory": "The amount (in MiB) of memory to present to the container. If your container attempts to exceed the memory specified here, the container is killed. The total amount of memory reserved for all containers within a task must be lower than the task memory
value, if one is specified. This parameter maps to Memory
in thethe docker conainer create command and the --memory
option to docker run.
If using the Fargate launch type, this parameter is optional.
If using the EC2 launch type, you must specify either a task-level memory value or a container-level memory value. If you specify both a container-level memory
and memoryReservation
value, memory
must be greater than memoryReservation
. If you specify memoryReservation
, then that value is subtracted from the available memory resources for the container instance where the container is placed. Otherwise, the value of memory
is used.
The Docker 20.10.0 or later daemon reserves a minimum of 6 MiB of memory for a container. So, don't specify less than 6 MiB of memory for your containers.
The Docker 19.03.13-ce or earlier daemon reserves a minimum of 4 MiB of memory for a container. So, don't specify less than 4 MiB of memory for your containers.
", - "ContainerDefinition$memoryReservation": "The soft limit (in MiB) of memory to reserve for the container. When system memory is under heavy contention, Docker attempts to keep the container memory to this soft limit. However, your container can consume more memory when it needs to, up to either the hard limit specified with the memory
parameter (if applicable), or all of the available memory on the container instance, whichever comes first. This parameter maps to MemoryReservation
in the the docker conainer create command and the --memory-reservation
option to docker run.
If a task-level memory value is not specified, you must specify a non-zero integer for one or both of memory
or memoryReservation
in a container definition. If you specify both, memory
must be greater than memoryReservation
. If you specify memoryReservation
, then that value is subtracted from the available memory resources for the container instance where the container is placed. Otherwise, the value of memory
is used.
For example, if your container normally uses 128 MiB of memory, but occasionally bursts to 256 MiB of memory for short periods of time, you can set a memoryReservation
of 128 MiB, and a memory
hard limit of 300 MiB. This configuration would allow the container to only reserve 128 MiB of memory from the remaining resources on the container instance, but also allow the container to consume more memory resources when needed.
The Docker 20.10.0 or later daemon reserves a minimum of 6 MiB of memory for a container. So, don't specify less than 6 MiB of memory for your containers.
The Docker 19.03.13-ce or earlier daemon reserves a minimum of 4 MiB of memory for a container. So, don't specify less than 4 MiB of memory for your containers.
", + "ContainerDefinition$memory": "The amount (in MiB) of memory to present to the container. If your container attempts to exceed the memory specified here, the container is killed. The total amount of memory reserved for all containers within a task must be lower than the task memory
value, if one is specified. This parameter maps to Memory
in the docker container create command and the --memory
option to docker run.
If using the Fargate launch type, this parameter is optional.
If using the EC2 launch type, you must specify either a task-level memory value or a container-level memory value. If you specify both a container-level memory
and memoryReservation
value, memory
must be greater than memoryReservation
. If you specify memoryReservation
, then that value is subtracted from the available memory resources for the container instance where the container is placed. Otherwise, the value of memory
is used.
The Docker 20.10.0 or later daemon reserves a minimum of 6 MiB of memory for a container. So, don't specify less than 6 MiB of memory for your containers.
The Docker 19.03.13-ce or earlier daemon reserves a minimum of 4 MiB of memory for a container. So, don't specify less than 4 MiB of memory for your containers.
", + "ContainerDefinition$memoryReservation": "The soft limit (in MiB) of memory to reserve for the container. When system memory is under heavy contention, Docker attempts to keep the container memory to this soft limit. However, your container can consume more memory when it needs to, up to either the hard limit specified with the memory
parameter (if applicable), or all of the available memory on the container instance, whichever comes first. This parameter maps to MemoryReservation
in the docker container create command and the --memory-reservation
option to docker run.
If a task-level memory value is not specified, you must specify a non-zero integer for one or both of memory
or memoryReservation
in a container definition. If you specify both, memory
must be greater than memoryReservation
. If you specify memoryReservation
, then that value is subtracted from the available memory resources for the container instance where the container is placed. Otherwise, the value of memory
is used.
For example, if your container normally uses 128 MiB of memory, but occasionally bursts to 256 MiB of memory for short periods of time, you can set a memoryReservation
of 128 MiB, and a memory
hard limit of 300 MiB. This configuration would allow the container to only reserve 128 MiB of memory from the remaining resources on the container instance, but also allow the container to consume more memory resources when needed.
The Docker 20.10.0 or later daemon reserves a minimum of 6 MiB of memory for a container. So, don't specify less than 6 MiB of memory for your containers.
The Docker 19.03.13-ce or earlier daemon reserves a minimum of 4 MiB of memory for a container. So, don't specify less than 4 MiB of memory for your containers.
", "ContainerDefinition$startTimeout": "Time duration (in seconds) to wait before giving up on resolving dependencies for a container. For example, you specify two containers in a task definition with containerA having a dependency on containerB reaching a COMPLETE
, SUCCESS
, or HEALTHY
status. If a startTimeout
value is specified for containerB and it doesn't reach the desired status within that time then containerA gives up and not start. This results in the task transitioning to a STOPPED
state.
When the ECS_CONTAINER_START_TIMEOUT
container agent configuration variable is used, it's enforced independently from this start timeout value.
For tasks using the Fargate launch type, the task or service requires the following platforms:
Linux platform version 1.3.0
or later.
Windows platform version 1.0.0
or later.
For tasks using the EC2 launch type, your container instances require at least version 1.26.0
of the container agent to use a container start timeout value. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see Updating the Amazon ECS Container Agent in the Amazon Elastic Container Service Developer Guide. If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1
of the ecs-init
package. If your container instances are launched from version 20190301
or later, then they contain the required versions of the container agent and ecs-init
. For more information, see Amazon ECS-optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
The valid values for Fargate are 2-120 seconds.
", - "ContainerDefinition$stopTimeout": "Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own.
For tasks using the Fargate launch type, the task or service requires the following platforms:
Linux platform version 1.3.0
or later.
Windows platform version 1.0.0
or later.
The max stop timeout value is 120 seconds and if the parameter is not specified, the default value of 30 seconds is used.
For tasks that use the EC2 launch type, if the stopTimeout
parameter isn't specified, the value set for the Amazon ECS container agent configuration variable ECS_CONTAINER_STOP_TIMEOUT
is used. If neither the stopTimeout
parameter or the ECS_CONTAINER_STOP_TIMEOUT
agent configuration variable are set, then the default values of 30 seconds for Linux containers and 30 seconds on Windows containers are used. Your container instances require at least version 1.26.0 of the container agent to use a container stop timeout value. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see Updating the Amazon ECS Container Agent in the Amazon Elastic Container Service Developer Guide. If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the ecs-init
package. If your container instances are launched from version 20190301
or later, then they contain the required versions of the container agent and ecs-init
. For more information, see Amazon ECS-optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
The valid values are 2-120 seconds.
", + "ContainerDefinition$stopTimeout": "Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own.
For tasks using the Fargate launch type, the task or service requires the following platforms:
Linux platform version 1.3.0
or later.
Windows platform version 1.0.0
or later.
For tasks that use the Fargate launch type, the max stop timeout value is 120 seconds and if the parameter is not specified, the default value of 30 seconds is used.
For tasks that use the EC2 launch type, if the stopTimeout
parameter isn't specified, the value set for the Amazon ECS container agent configuration variable ECS_CONTAINER_STOP_TIMEOUT
is used. If neither the stopTimeout
parameter or the ECS_CONTAINER_STOP_TIMEOUT
agent configuration variable are set, then the default values of 30 seconds for Linux containers and 30 seconds on Windows containers are used. Your container instances require at least version 1.26.0 of the container agent to use a container stop timeout value. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see Updating the Amazon ECS Container Agent in the Amazon Elastic Container Service Developer Guide. If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the ecs-init
package. If your container instances are launched from version 20190301
or later, then they contain the required versions of the container agent and ecs-init
. For more information, see Amazon ECS-optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
The valid values for Fargate are 2-120 seconds.
", "ContainerOverride$cpu": "The number of cpu
units reserved for the container, instead of the default value from the task definition. You must also specify a container name.
The hard limit (in MiB) of memory to present to the container, instead of the default value from the task definition. If your container attempts to exceed the memory specified here, the container is killed. You must also specify a container name.
", "ContainerOverride$memoryReservation": "The soft limit (in MiB) of memory to reserve for the container, instead of the default value from the task definition. You must also specify a container name.
", @@ -233,8 +233,8 @@ "ContainerStateChange$exitCode": "The exit code for the container, if the state change is a result of the container exiting.
", "CreateServiceRequest$desiredCount": "The number of instantiations of the specified task definition to place and keep running in your service.
This is required if schedulingStrategy
is REPLICA
or isn't specified. If schedulingStrategy
is DAEMON
then this isn't required.
The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks after a task has first started. This is only used when your service is configured to use a load balancer. If your service has a load balancer defined and you don't specify a health check grace period value, the default value of 0
is used.
If you do not use an Elastic Load Balancing, we recommend that you use the startPeriod
in the task definition health check parameters. For more information, see Health check.
If your service's tasks take a while to start and respond to Elastic Load Balancing health checks, you can specify a health check grace period of up to 2,147,483,647 seconds (about 69 years). During that time, the Amazon ECS service scheduler ignores health check status. This grace period can prevent the service scheduler from marking tasks as unhealthy and stopping them before they have time to come up.
", - "DeploymentConfiguration$maximumPercent": "If a service is using the rolling update (ECS
) deployment type, the maximumPercent
parameter represents an upper limit on the number of your service's tasks that are allowed in the RUNNING
or PENDING
state during a deployment, as a percentage of the desiredCount
(rounded down to the nearest integer). This parameter enables you to define the deployment batch size. For example, if your service is using the REPLICA
service scheduler and has a desiredCount
of four tasks and a maximumPercent
value of 200%, the scheduler may start four new tasks before stopping the four older tasks (provided that the cluster resources required to do this are available). The default maximumPercent
value for a service using the REPLICA
service scheduler is 200%.
If a service is using either the blue/green (CODE_DEPLOY
) or EXTERNAL
deployment types and tasks that use the EC2 launch type, the maximum percent value is set to the default value and is used to define the upper limit on the number of the tasks in the service that remain in the RUNNING
state while the container instances are in the DRAINING
state. If the tasks in the service use the Fargate launch type, the maximum percent value is not used, although it is returned when describing your service.
If a service is using the rolling update (ECS
) deployment type, the minimumHealthyPercent
represents a lower limit on the number of your service's tasks that must remain in the RUNNING
state during a deployment, as a percentage of the desiredCount
(rounded up to the nearest integer). This parameter enables you to deploy without using additional cluster capacity. For example, if your service has a desiredCount
of four tasks and a minimumHealthyPercent
of 50%, the service scheduler may stop two existing tasks to free up cluster capacity before starting two new tasks.
For services that do not use a load balancer, the following should be noted:
A service is considered healthy if all essential containers within the tasks in the service pass their health checks.
If a task has no essential containers with a health check defined, the service scheduler will wait for 40 seconds after a task reaches a RUNNING
state before the task is counted towards the minimum healthy percent total.
If a task has one or more essential containers with a health check defined, the service scheduler will wait for the task to reach a healthy status before counting it towards the minimum healthy percent total. A task is considered healthy when all essential containers within the task have passed their health checks. The amount of time the service scheduler can wait for is determined by the container health check settings.
For services that do use a load balancer, the following should be noted:
If a task has no essential containers with a health check defined, the service scheduler will wait for the load balancer target group health check to return a healthy status before counting the task towards the minimum healthy percent total.
If a task has an essential container with a health check defined, the service scheduler will wait for both the task to reach a healthy status and the load balancer target group health check to return a healthy status before counting the task towards the minimum healthy percent total.
The default value for a replica service for minimumHealthyPercent
is 100%. The default minimumHealthyPercent
value for a service using the DAEMON
service schedule is 0% for the CLI, the Amazon Web Services SDKs, and the APIs and 50% for the Amazon Web Services Management Console.
The minimum number of healthy tasks during a deployment is the desiredCount
multiplied by the minimumHealthyPercent
/100, rounded up to the nearest integer value.
If a service is using either the blue/green (CODE_DEPLOY
) or EXTERNAL
deployment types and is running tasks that use the EC2 launch type, the minimum healthy percent value is set to the default value and is used to define the lower limit on the number of the tasks in the service that remain in the RUNNING
state while the container instances are in the DRAINING
state. If a service is using either the blue/green (CODE_DEPLOY
) or EXTERNAL
deployment types and is running tasks that use the Fargate launch type, the minimum healthy percent value is not used, although it is returned when describing your service.
If a service is using the rolling update (ECS
) deployment type, the maximumPercent
parameter represents an upper limit on the number of your service's tasks that are allowed in the RUNNING
or PENDING
state during a deployment, as a percentage of the desiredCount
(rounded down to the nearest integer). This parameter enables you to define the deployment batch size. For example, if your service is using the REPLICA
service scheduler and has a desiredCount
of four tasks and a maximumPercent
value of 200%, the scheduler may start four new tasks before stopping the four older tasks (provided that the cluster resources required to do this are available). The default maximumPercent
value for a service using the REPLICA
service scheduler is 200%.
If a service is using either the blue/green (CODE_DEPLOY
) or EXTERNAL
deployment types, and tasks in the service use the EC2 launch type, the maximum percent value is set to the default value. The maximum percent value is used to define the upper limit on the number of the tasks in the service that remain in the RUNNING
state while the container instances are in the DRAINING
state.
You can't specify a custom maximumPercent
value for a service that uses either the blue/green (CODE_DEPLOY
) or EXTERNAL
deployment types and has tasks that use the EC2 launch type.
If the tasks in the service use the Fargate launch type, the maximum percent value is not used, although it is returned when describing your service.
", + "DeploymentConfiguration$minimumHealthyPercent": "If a service is using the rolling update (ECS
) deployment type, the minimumHealthyPercent
represents a lower limit on the number of your service's tasks that must remain in the RUNNING
state during a deployment, as a percentage of the desiredCount
(rounded up to the nearest integer). This parameter enables you to deploy without using additional cluster capacity. For example, if your service has a desiredCount
of four tasks and a minimumHealthyPercent
of 50%, the service scheduler may stop two existing tasks to free up cluster capacity before starting two new tasks.
For services that do not use a load balancer, the following should be noted:
A service is considered healthy if all essential containers within the tasks in the service pass their health checks.
If a task has no essential containers with a health check defined, the service scheduler will wait for 40 seconds after a task reaches a RUNNING
state before the task is counted towards the minimum healthy percent total.
If a task has one or more essential containers with a health check defined, the service scheduler will wait for the task to reach a healthy status before counting it towards the minimum healthy percent total. A task is considered healthy when all essential containers within the task have passed their health checks. The amount of time the service scheduler can wait for is determined by the container health check settings.
For services that do use a load balancer, the following should be noted:
If a task has no essential containers with a health check defined, the service scheduler will wait for the load balancer target group health check to return a healthy status before counting the task towards the minimum healthy percent total.
If a task has an essential container with a health check defined, the service scheduler will wait for both the task to reach a healthy status and the load balancer target group health check to return a healthy status before counting the task towards the minimum healthy percent total.
The default value for a replica service for minimumHealthyPercent
is 100%. The default minimumHealthyPercent
value for a service using the DAEMON
service schedule is 0% for the CLI, the Amazon Web Services SDKs, and the APIs and 50% for the Amazon Web Services Management Console.
The minimum number of healthy tasks during a deployment is the desiredCount
multiplied by the minimumHealthyPercent
/100, rounded up to the nearest integer value.
If a service is using either the blue/green (CODE_DEPLOY
) or EXTERNAL
deployment types and is running tasks that use the EC2 launch type, the minimum healthy percent value is set to the default value. The minimum healthy percent value is used to define the lower limit on the number of the tasks in the service that remain in the RUNNING
state while the container instances are in the DRAINING
state.
You can't specify a custom minimumHealthyPercent
value for a service that uses either the blue/green (CODE_DEPLOY
) or EXTERNAL
deployment types and has tasks that use the EC2 launch type.
If a service is using either the blue/green (CODE_DEPLOY
) or EXTERNAL
deployment types and is running tasks that use the Fargate launch type, the minimum healthy percent value is not used, although it is returned when describing your service.
The maximum number of account setting results returned by DescribeCapacityProviders
in paginated output. When this parameter is used, DescribeCapacityProviders
only returns maxResults
results in a single page along with a nextToken
response element. The remaining results of the initial request can be seen by sending another DescribeCapacityProviders
request with the returned nextToken
value. This value can be between 1 and 10. If this parameter is not used, then DescribeCapacityProviders
returns up to 10 results and a nextToken
value if applicable.
The port to use when sending encrypted data between the Amazon ECS host and the Amazon EFS server. If you do not specify a transit encryption port, it will use the port selection strategy that the Amazon EFS mount helper uses. For more information, see EFS mount helper in the Amazon Elastic File System User Guide.
", "HealthCheck$interval": "The time period in seconds between each health check execution. You may specify between 5 and 300 seconds. The default value is 30 seconds.
", @@ -458,7 +458,7 @@ "base": null, "refs": { "RegisterTaskDefinitionRequest$requiresCompatibilities": "The task launch type that Amazon ECS validates the task definition against. A client exception is returned if the task definition doesn't validate against the compatibilities specified. If no value is specified, the parameter is omitted from the response.
", - "TaskDefinition$compatibilities": "The task launch types the task definition validated against during task definition registration. For more information, see Amazon ECS launch types in the Amazon Elastic Container Service Developer Guide.
", + "TaskDefinition$compatibilities": "Amazon ECS validates the task definition parameters with those supported by the launch type. For more information, see Amazon ECS launch types in the Amazon Elastic Container Service Developer Guide.
", "TaskDefinition$requiresCompatibilities": "The task launch types the task definition was validated against. The valid values are EC2
, FARGATE
, and EXTERNAL
. For more information, see Amazon ECS launch types in the Amazon Elastic Container Service Developer Guide.
Any host devices to expose to the container. This parameter maps to Devices
in tthe docker conainer create command and the --device
option to docker run.
If you're using tasks that use the Fargate launch type, the devices
parameter isn't supported.
Any host devices to expose to the container. This parameter maps to Devices
in the docker container create command and the --device
option to docker run.
If you're using tasks that use the Fargate launch type, the devices
parameter isn't supported.
A key/value map of labels to add to the container. This parameter maps to Labels
in the docker conainer create command and the --label
option to docker run. This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: sudo docker version --format '{{.Server.APIVersion}}'
A key/value map of labels to add to the container. This parameter maps to Labels
in the docker container create command and the --label
option to docker run. This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: sudo docker version --format '{{.Server.APIVersion}}'
The environment variables to pass to a container. This parameter maps to Env
in the docker conainer create command and the --env
option to docker run.
We don't recommend that you use plaintext environment variables for sensitive information, such as credential data.
The environment variables to pass to a container. This parameter maps to Env
in the docker container create command and the --env
option to docker run.
We don't recommend that you use plaintext environment variables for sensitive information, such as credential data.
The environment variables to send to the container. You can add new environment variables, which are added to the container at launch, or you can override the existing environment variables from the Docker image or the task definition. You must also specify a container name.
" } }, @@ -1117,7 +1117,7 @@ "HealthCheck": { "base": "An object representing a container health check. Health check parameters that are specified in a container definition override any Docker health checks that exist in the container image (such as those specified in a parent image or from the image's Dockerfile). This configuration maps to the HEALTHCHECK
parameter of docker run.
The Amazon ECS container agent only monitors and reports on the health checks specified in the task definition. Amazon ECS does not monitor Docker health checks that are embedded in a container image and not specified in the container definition. Health check parameters that are specified in a container definition override any Docker health checks that exist in the container image.
You can view the health status of both individual containers and a task with the DescribeTasks API operation or when viewing the task details in the console.
The health check is designed to make sure that your containers survive agent restarts, upgrades, or temporary unavailability.
Amazon ECS performs health checks on containers with the default that launched the container instance or the task.
The following describes the possible healthStatus
values for a container:
HEALTHY
-The container health check has passed successfully.
UNHEALTHY
-The container health check has failed.
UNKNOWN
-The container health check is being evaluated, there's no container health check defined, or Amazon ECS doesn't have the health status of the container.
The following describes the possible healthStatus
values based on the container health checker status of essential containers in the task with the following priority order (high to low):
UNHEALTHY
-One or more essential containers have failed their health check.
UNKNOWN
-Any essential container running within the task is in an UNKNOWN
state and no other essential containers have an UNHEALTHY
state.
HEALTHY
-All essential containers within the task have passed their health checks.
Consider the following task health example with 2 containers.
If Container1 is UNHEALTHY
and Container2 is UNKNOWN
, the task health is UNHEALTHY
.
If Container1 is UNHEALTHY
and Container2 is HEALTHY
, the task health is UNHEALTHY
.
If Container1 is HEALTHY
and Container2 is UNKNOWN
, the task health is UNKNOWN
.
If Container1 is HEALTHY
and Container2 is HEALTHY
, the task health is HEALTHY
.
Consider the following task health example with 3 containers.
If Container1 is UNHEALTHY
and Container2 is UNKNOWN
, and Container3 is UNKNOWN
, the task health is UNHEALTHY
.
If Container1 is UNHEALTHY
and Container2 is UNKNOWN
, and Container3 is HEALTHY
, the task health is UNHEALTHY
.
If Container1 is UNHEALTHY
and Container2 is HEALTHY
, and Container3 is HEALTHY
, the task health is UNHEALTHY
.
If Container1 is HEALTHY
and Container2 is UNKNOWN
, and Container3 is HEALTHY
, the task health is UNKNOWN
.
If Container1 is HEALTHY
and Container2 is UNKNOWN
, and Container3 is UNKNOWN
, the task health is UNKNOWN
.
If Container1 is HEALTHY
and Container2 is HEALTHY
, and Container3 is HEALTHY
, the task health is HEALTHY
.
If a task is run manually, and not as part of a service, the task will continue its lifecycle regardless of its health status. For tasks that are part of a service, if the task reports as unhealthy then the task will be stopped and the service scheduler will replace it.
The following are notes about container health check support:
If the Amazon ECS container agent becomes disconnected from the Amazon ECS service, this won't cause a container to transition to an UNHEALTHY
status. This is by design, to ensure that containers remain running during agent restarts or temporary unavailability. The health check status is the \"last heard from\" response from the Amazon ECS agent, so if the container was considered HEALTHY
prior to the disconnect, that status will remain until the agent reconnects and another health check occurs. There are no assumptions made about the status of the container health checks.
Container health checks require version 1.17.0
or greater of the Amazon ECS container agent. For more information, see Updating the Amazon ECS container agent.
Container health checks are supported for Fargate tasks if you're using platform version 1.1.0
or greater. For more information, see Fargate platform versions.
Container health checks aren't supported for tasks that are part of a service that's configured to use a Classic Load Balancer.
The container health check command and associated configuration parameters for the container. This parameter maps to HealthCheck
in the docker conainer create command and the HEALTHCHECK
parameter of docker run.
The container health check command and associated configuration parameters for the container. This parameter maps to HealthCheck
in the docker container create command and the HEALTHCHECK
parameter of docker run.
A list of hostnames and IP address mappings to append to the /etc/hosts
file on the container. This parameter maps to ExtraHosts
in the docker conainer create command and the --add-host
option to docker run.
This parameter isn't supported for Windows containers or tasks that use the awsvpc
network mode.
A list of hostnames and IP address mappings to append to the /etc/hosts
file on the container. This parameter maps to ExtraHosts
in the docker container create command and the --add-host
option to docker run.
This parameter isn't supported for Windows containers or tasks that use the awsvpc
network mode.
The number of tasks in the cluster that are in the RUNNING
state.
The number of tasks in the cluster that are in the PENDING
state.
The number of services that are running on the cluster in an ACTIVE
state. You can view these services with PListServices.
The number of cpu
units reserved for the container. This parameter maps to CpuShares
in the docker conainer create commandand the --cpu-shares
option to docker run.
This field is optional for tasks using the Fargate launch type, and the only requirement is that the total amount of CPU reserved for all containers within a task be lower than the task-level cpu
value.
You can determine the number of CPU units that are available per EC2 instance type by multiplying the vCPUs listed for that instance type on the Amazon EC2 Instances detail page by 1,024.
Linux containers share unallocated CPU units with other containers on the container instance with the same ratio as their allocated amount. For example, if you run a single-container task on a single-core instance type with 512 CPU units specified for that container, and that's the only task running on the container instance, that container could use the full 1,024 CPU unit share at any given time. However, if you launched another copy of the same task on that container instance, each task is guaranteed a minimum of 512 CPU units when needed. Moreover, each container could float to higher CPU usage if the other container was not using it. If both tasks were 100% active all of the time, they would be limited to 512 CPU units.
On Linux container instances, the Docker daemon on the container instance uses the CPU value to calculate the relative CPU share ratios for running containers. The minimum valid CPU share value that the Linux kernel allows is 2, and the maximum valid CPU share value that the Linux kernel allows is 262144. However, the CPU parameter isn't required, and you can use CPU values below 2 or above 262144 in your container definitions. For CPU values below 2 (including null) or above 262144, the behavior varies based on your Amazon ECS container agent version:
Agent versions less than or equal to 1.1.0: Null and zero CPU values are passed to Docker as 0, which Docker then converts to 1,024 CPU shares. CPU values of 1 are passed to Docker as 1, which the Linux kernel converts to two CPU shares.
Agent versions greater than or equal to 1.2.0: Null, zero, and CPU values of 1 are passed to Docker as 2.
Agent versions greater than or equal to 1.84.0: CPU values greater than 256 vCPU are passed to Docker as 256, which is equivalent to 262144 CPU shares.
On Windows container instances, the CPU limit is enforced as an absolute limit, or a quota. Windows containers only have access to the specified amount of CPU that's described in the task definition. A null or zero CPU value is passed to Docker as 0
, which Windows interprets as 1% of one CPU.
The number of cpu
units reserved for the container. This parameter maps to CpuShares
in the docker container create commandand the --cpu-shares
option to docker run.
This field is optional for tasks using the Fargate launch type, and the only requirement is that the total amount of CPU reserved for all containers within a task be lower than the task-level cpu
value.
You can determine the number of CPU units that are available per EC2 instance type by multiplying the vCPUs listed for that instance type on the Amazon EC2 Instances detail page by 1,024.
Linux containers share unallocated CPU units with other containers on the container instance with the same ratio as their allocated amount. For example, if you run a single-container task on a single-core instance type with 512 CPU units specified for that container, and that's the only task running on the container instance, that container could use the full 1,024 CPU unit share at any given time. However, if you launched another copy of the same task on that container instance, each task is guaranteed a minimum of 512 CPU units when needed. Moreover, each container could float to higher CPU usage if the other container was not using it. If both tasks were 100% active all of the time, they would be limited to 512 CPU units.
On Linux container instances, the Docker daemon on the container instance uses the CPU value to calculate the relative CPU share ratios for running containers. The minimum valid CPU share value that the Linux kernel allows is 2, and the maximum valid CPU share value that the Linux kernel allows is 262144. However, the CPU parameter isn't required, and you can use CPU values below 2 or above 262144 in your container definitions. For CPU values below 2 (including null) or above 262144, the behavior varies based on your Amazon ECS container agent version:
Agent versions less than or equal to 1.1.0: Null and zero CPU values are passed to Docker as 0, which Docker then converts to 1,024 CPU shares. CPU values of 1 are passed to Docker as 1, which the Linux kernel converts to two CPU shares.
Agent versions greater than or equal to 1.2.0: Null, zero, and CPU values of 1 are passed to Docker as 2.
Agent versions greater than or equal to 1.84.0: CPU values greater than 256 vCPU are passed to Docker as 256, which is equivalent to 262144 CPU shares.
On Windows container instances, the CPU limit is enforced as an absolute limit, or a quota. Windows containers only have access to the specified amount of CPU that's described in the task definition. A null or zero CPU value is passed to Docker as 0
, which Windows interprets as 1% of one CPU.
The number of tasks on the container instance that have a desired status (desiredStatus
) of RUNNING
.
The number of tasks on the container instance that are in the PENDING
status.
The most recent desired count of tasks that was specified for the service to deploy or maintain.
", @@ -1229,8 +1229,8 @@ "TaskSet$pendingCount": "The number of tasks in the task set that are in the PENDING
status during a deployment. A task in the PENDING
state is preparing to enter the RUNNING
state. A task set enters the PENDING
status when it launches for the first time or when it's restarted after being in the STOPPED
state.
The number of tasks in the task set that are in the RUNNING
status during a deployment. A task in the RUNNING
state is running and ready for use.
The maximum size (in MiB) of the tmpfs volume.
", - "Ulimit$softLimit": "The soft limit for the ulimit
type.
The hard limit for the ulimit
type.
The soft limit for the ulimit
type. The value can be specified in bytes, seconds, or as a count, depending on the type
of the ulimit
.
The hard limit for the ulimit
type. The value can be specified in bytes, seconds, or as a count, depending on the type
of the ulimit
.
The log configuration for the container. This parameter maps to LogConfig
in the docker conainer create command and the --log-driver
option to docker run.
By default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition.
Understand the following when specifying a log configuration for your containers.
Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent.
For tasks on Fargate, the supported log drivers are awslogs
, splunk
, and awsfirelens
.
For tasks hosted on Amazon EC2 instances, the supported log drivers are awslogs
, fluentd
, gelf
, json-file
, journald
,syslog
, splunk
, and awsfirelens
.
This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.
For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the ECS_AVAILABLE_LOGGING_DRIVERS
environment variable before containers placed on that instance can use these log configuration options. For more information, see Amazon ECS container agent configuration in the Amazon Elastic Container Service Developer Guide.
For tasks that are on Fargate, because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.
The log configuration for the container. This parameter maps to LogConfig
in the docker container create command and the --log-driver
option to docker run.
By default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition.
Understand the following when specifying a log configuration for your containers.
Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent.
For tasks on Fargate, the supported log drivers are awslogs
, splunk
, and awsfirelens
.
For tasks hosted on Amazon EC2 instances, the supported log drivers are awslogs
, fluentd
, gelf
, json-file
, journald
,syslog
, splunk
, and awsfirelens
.
This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.
For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the ECS_AVAILABLE_LOGGING_DRIVERS
environment variable before containers placed on that instance can use these log configuration options. For more information, see Amazon ECS container agent configuration in the Amazon Elastic Container Service Developer Guide.
For tasks that are on Fargate, because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.
The log configuration specification for the container.
This parameter maps to LogConfig
in the docker conainer create command and the --log-driver
option to docker run. By default, containers use the same logging driver that the Docker daemon uses. However the container can use a different logging driver than the Docker daemon by specifying a log driver with this parameter in the container definition. To use a different logging driver for a container, the log system must be configured properly on the container instance (or on a different log server for remote logging options).
Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon (shown in the LogConfiguration data type). Additional log drivers may be available in future releases of the Amazon ECS container agent.
This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: sudo docker version --format '{{.Server.APIVersion}}'
The Amazon ECS container agent running on a container instance must register the logging drivers available on that instance with the ECS_AVAILABLE_LOGGING_DRIVERS
environment variable before containers placed on that instance can use these log configuration options. For more information, see Amazon ECS Container Agent Configuration in the Amazon Elastic Container Service Developer Guide.
The log configuration specification for the container.
This parameter maps to LogConfig
in the docker container create command and the --log-driver
option to docker run. By default, containers use the same logging driver that the Docker daemon uses. However the container can use a different logging driver than the Docker daemon by specifying a log driver with this parameter in the container definition. To use a different logging driver for a container, the log system must be configured properly on the container instance (or on a different log server for remote logging options).
Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon (shown in the LogConfiguration data type). Additional log drivers may be available in future releases of the Amazon ECS container agent.
This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: sudo docker version --format '{{.Server.APIVersion}}'
The Amazon ECS container agent running on a container instance must register the logging drivers available on that instance with the ECS_AVAILABLE_LOGGING_DRIVERS
environment variable before containers placed on that instance can use these log configuration options. For more information, see Amazon ECS Container Agent Configuration in the Amazon Elastic Container Service Developer Guide.
The mount points for data volumes in your container.
This parameter maps to Volumes
in the the docker conainer create command and the --volume
option to docker run.
Windows containers can mount whole directories on the same drive as $env:ProgramData
. Windows containers can't mount directories on a different drive, and mount point can't be across drives.
The mount points for data volumes in your container.
This parameter maps to Volumes
in the docker container create command and the --volume
option to docker run.
Windows containers can mount whole directories on the same drive as $env:ProgramData
. Windows containers can't mount directories on a different drive, and mount point can't be across drives.
Port mappings allow containers to access ports on the host container instance to send or receive traffic. Port mappings are specified as part of the container definition.
If you use containers in a task with the awsvpc
or host
network mode, specify the exposed ports using containerPort
. The hostPort
can be left blank or it must be the same value as the containerPort
.
Most fields of this parameter (containerPort
, hostPort
, protocol
) maps to PortBindings
in the docker conainer create command and the --publish
option to docker run
. If the network mode of a task definition is set to host
, host ports must either be undefined or match the container port in the port mapping.
You can't expose the same container port for multiple protocols. If you attempt this, an error is returned.
After a task reaches the RUNNING
status, manual and automatic host and container port assignments are visible in the networkBindings
section of DescribeTasks API responses.
Port mappings allow containers to access ports on the host container instance to send or receive traffic. Port mappings are specified as part of the container definition.
If you use containers in a task with the awsvpc
or host
network mode, specify the exposed ports using containerPort
. The hostPort
can be left blank or it must be the same value as the containerPort
.
Most fields of this parameter (containerPort
, hostPort
, protocol
) maps to PortBindings
in the docker container create command and the --publish
option to docker run
. If the network mode of a task definition is set to host
, host ports must either be undefined or match the container port in the port mapping.
You can't expose the same container port for multiple protocols. If you attempt this, an error is returned.
After a task reaches the RUNNING
status, manual and automatic host and container port assignments are visible in the networkBindings
section of DescribeTasks API responses.
The list of port mappings for the container. Port mappings allow containers to access ports on the host container instance to send or receive traffic.
For task definitions that use the awsvpc
network mode, only specify the containerPort
. The hostPort
can be left blank or it must be the same value as the containerPort
.
Port mappings on Windows use the NetNAT
gateway address rather than localhost
. There's no loopback for port mappings on Windows, so you can't access a container's mapped port from the host itself.
This parameter maps to PortBindings
in the the docker conainer create command and the --publish
option to docker run. If the network mode of a task definition is set to none
, then you can't specify port mappings. If the network mode of a task definition is set to host
, then host ports must either be undefined or they must match the container port in the port mapping.
After a task reaches the RUNNING
status, manual and automatic host and container port assignments are visible in the Network Bindings section of a container description for a selected task in the Amazon ECS console. The assignments are also visible in the networkBindings
section DescribeTasks responses.
The list of port mappings for the container. Port mappings allow containers to access ports on the host container instance to send or receive traffic.
For task definitions that use the awsvpc
network mode, only specify the containerPort
. The hostPort
can be left blank or it must be the same value as the containerPort
.
Port mappings on Windows use the NetNAT
gateway address rather than localhost
. There's no loopback for port mappings on Windows, so you can't access a container's mapped port from the host itself.
This parameter maps to PortBindings
in the the docker container create command and the --publish
option to docker run. If the network mode of a task definition is set to none
, then you can't specify port mappings. If the network mode of a task definition is set to host
, then host ports must either be undefined or they must match the container port in the port mapping.
After a task reaches the RUNNING
status, manual and automatic host and container port assignments are visible in the Network Bindings section of a container description for a selected task in the Amazon ECS console. The assignments are also visible in the networkBindings
section DescribeTasks responses.
The resource name to disable the account setting for. If serviceLongArnFormat
is specified, the ARN for your Amazon ECS services is affected. If taskLongArnFormat
is specified, the ARN and resource ID for your Amazon ECS tasks is affected. If containerInstanceLongArnFormat
is specified, the ARN and resource ID for your Amazon ECS container instances is affected. If awsvpcTrunking
is specified, the ENI limit for your Amazon ECS container instances is affected.
The name of the account setting you want to list the settings for.
", "PutAccountSettingDefaultRequest$name": "The resource name for which to modify the account setting.
The following are the valid values for the account setting name.
serviceLongArnFormat
- When modified, the Amazon Resource Name (ARN) and resource ID format of the resource type for a specified user, role, or the root user for an account is affected. The opt-in and opt-out account setting must be set for each Amazon ECS resource separately. The ARN and resource ID format of a resource is defined by the opt-in status of the user or role that created the resource. You must turn on this setting to use Amazon ECS features such as resource tagging.
taskLongArnFormat
- When modified, the Amazon Resource Name (ARN) and resource ID format of the resource type for a specified user, role, or the root user for an account is affected. The opt-in and opt-out account setting must be set for each Amazon ECS resource separately. The ARN and resource ID format of a resource is defined by the opt-in status of the user or role that created the resource. You must turn on this setting to use Amazon ECS features such as resource tagging.
containerInstanceLongArnFormat
- When modified, the Amazon Resource Name (ARN) and resource ID format of the resource type for a specified user, role, or the root user for an account is affected. The opt-in and opt-out account setting must be set for each Amazon ECS resource separately. The ARN and resource ID format of a resource is defined by the opt-in status of the user or role that created the resource. You must turn on this setting to use Amazon ECS features such as resource tagging.
awsvpcTrunking
- When modified, the elastic network interface (ENI) limit for any new container instances that support the feature is changed. If awsvpcTrunking
is turned on, any new container instances that support the feature are launched have the increased ENI limits available to them. For more information, see Elastic Network Interface Trunking in the Amazon Elastic Container Service Developer Guide.
containerInsights
- When modified, the default setting indicating whether Amazon Web Services CloudWatch Container Insights is turned on for your clusters is changed. If containerInsights
is turned on, any new clusters that are created will have Container Insights turned on unless you disable it during cluster creation. For more information, see CloudWatch Container Insights in the Amazon Elastic Container Service Developer Guide.
dualStackIPv6
- When turned on, when using a VPC in dual stack mode, your tasks using the awsvpc
network mode can have an IPv6 address assigned. For more information on using IPv6 with tasks launched on Amazon EC2 instances, see Using a VPC in dual-stack mode. For more information on using IPv6 with tasks launched on Fargate, see Using a VPC in dual-stack mode.
fargateFIPSMode
- If you specify fargateFIPSMode
, Fargate FIPS 140 compliance is affected.
fargateTaskRetirementWaitPeriod
- When Amazon Web Services determines that a security or infrastructure update is needed for an Amazon ECS task hosted on Fargate, the tasks need to be stopped and new tasks launched to replace them. Use fargateTaskRetirementWaitPeriod
to configure the wait time to retire a Fargate task. For information about the Fargate tasks maintenance, see Amazon Web Services Fargate task maintenance in the Amazon ECS Developer Guide.
tagResourceAuthorization
- Amazon ECS is introducing tagging authorization for resource creation. Users must have permissions for actions that create the resource, such as ecsCreateCluster
. If tags are specified when you create a resource, Amazon Web Services performs additional authorization to verify if users or roles have permissions to create tags. Therefore, you must grant explicit permissions to use the ecs:TagResource
action. For more information, see Grant permission to tag resources on creation in the Amazon ECS Developer Guide.
guardDutyActivate
- The guardDutyActivate
parameter is read-only in Amazon ECS and indicates whether Amazon ECS Runtime Monitoring is enabled or disabled by your security administrator in your Amazon ECS account. Amazon GuardDuty controls this account setting on your behalf. For more information, see Protecting Amazon ECS workloads with Amazon ECS Runtime Monitoring.
The Amazon ECS account setting name to modify.
The following are the valid values for the account setting name.
serviceLongArnFormat
- When modified, the Amazon Resource Name (ARN) and resource ID format of the resource type for a specified user, role, or the root user for an account is affected. The opt-in and opt-out account setting must be set for each Amazon ECS resource separately. The ARN and resource ID format of a resource is defined by the opt-in status of the user or role that created the resource. You must turn on this setting to use Amazon ECS features such as resource tagging.
taskLongArnFormat
- When modified, the Amazon Resource Name (ARN) and resource ID format of the resource type for a specified user, role, or the root user for an account is affected. The opt-in and opt-out account setting must be set for each Amazon ECS resource separately. The ARN and resource ID format of a resource is defined by the opt-in status of the user or role that created the resource. You must turn on this setting to use Amazon ECS features such as resource tagging.
containerInstanceLongArnFormat
- When modified, the Amazon Resource Name (ARN) and resource ID format of the resource type for a specified user, role, or the root user for an account is affected. The opt-in and opt-out account setting must be set for each Amazon ECS resource separately. The ARN and resource ID format of a resource is defined by the opt-in status of the user or role that created the resource. You must turn on this setting to use Amazon ECS features such as resource tagging.
awsvpcTrunking
- When modified, the elastic network interface (ENI) limit for any new container instances that support the feature is changed. If awsvpcTrunking
is turned on, any new container instances that support the feature are launched have the increased ENI limits available to them. For more information, see Elastic Network Interface Trunking in the Amazon Elastic Container Service Developer Guide.
containerInsights
- When modified, the default setting indicating whether Amazon Web Services CloudWatch Container Insights is turned on for your clusters is changed. If containerInsights
is turned on, any new clusters that are created will have Container Insights turned on unless you disable it during cluster creation. For more information, see CloudWatch Container Insights in the Amazon Elastic Container Service Developer Guide.
dualStackIPv6
- When turned on, when using a VPC in dual stack mode, your tasks using the awsvpc
network mode can have an IPv6 address assigned. For more information on using IPv6 with tasks launched on Amazon EC2 instances, see Using a VPC in dual-stack mode. For more information on using IPv6 with tasks launched on Fargate, see Using a VPC in dual-stack mode.
fargateFIPSMode
- If you specify fargateFIPSMode
, Fargate FIPS 140 compliance is affected.
fargateTaskRetirementWaitPeriod
- When Amazon Web Services determines that a security or infrastructure update is needed for an Amazon ECS task hosted on Fargate, the tasks need to be stopped and new tasks launched to replace them. Use fargateTaskRetirementWaitPeriod
to configure the wait time to retire a Fargate task. For information about the Fargate tasks maintenance, see Amazon Web Services Fargate task maintenance in the Amazon ECS Developer Guide.
tagResourceAuthorization
- Amazon ECS is introducing tagging authorization for resource creation. Users must have permissions for actions that create the resource, such as ecsCreateCluster
. If tags are specified when you create a resource, Amazon Web Services performs additional authorization to verify if users or roles have permissions to create tags. Therefore, you must grant explicit permissions to use the ecs:TagResource
action. For more information, see Grant permission to tag resources on creation in the Amazon ECS Developer Guide.
guardDutyActivate
- The guardDutyActivate
parameter is read-only in Amazon ECS and indicates whether Amazon ECS Runtime Monitoring is enabled or disabled by your security administrator in your Amazon ECS account. Amazon GuardDuty controls this account setting on your behalf. For more information, see Protecting Amazon ECS workloads with Amazon ECS Runtime Monitoring.
The Amazon ECS account setting name to modify.
The following are the valid values for the account setting name.
serviceLongArnFormat
- When modified, the Amazon Resource Name (ARN) and resource ID format of the resource type for a specified user, role, or the root user for an account is affected. The opt-in and opt-out account setting must be set for each Amazon ECS resource separately. The ARN and resource ID format of a resource is defined by the opt-in status of the user or role that created the resource. You must turn on this setting to use Amazon ECS features such as resource tagging.
taskLongArnFormat
- When modified, the Amazon Resource Name (ARN) and resource ID format of the resource type for a specified user, role, or the root user for an account is affected. The opt-in and opt-out account setting must be set for each Amazon ECS resource separately. The ARN and resource ID format of a resource is defined by the opt-in status of the user or role that created the resource. You must turn on this setting to use Amazon ECS features such as resource tagging.
containerInstanceLongArnFormat
- When modified, the Amazon Resource Name (ARN) and resource ID format of the resource type for a specified user, role, or the root user for an account is affected. The opt-in and opt-out account setting must be set for each Amazon ECS resource separately. The ARN and resource ID format of a resource is defined by the opt-in status of the user or role that created the resource. You must turn on this setting to use Amazon ECS features such as resource tagging.
awsvpcTrunking
- When modified, the elastic network interface (ENI) limit for any new container instances that support the feature is changed. If awsvpcTrunking
is turned on, any new container instances that support the feature are launched have the increased ENI limits available to them. For more information, see Elastic Network Interface Trunking in the Amazon Elastic Container Service Developer Guide.
containerInsights
- When modified, the default setting indicating whether Amazon Web Services CloudWatch Container Insights is turned on for your clusters is changed. If containerInsights
is turned on, any new clusters that are created will have Container Insights turned on unless you disable it during cluster creation. For more information, see CloudWatch Container Insights in the Amazon Elastic Container Service Developer Guide.
dualStackIPv6
- When turned on, when using a VPC in dual stack mode, your tasks using the awsvpc
network mode can have an IPv6 address assigned. For more information on using IPv6 with tasks launched on Amazon EC2 instances, see Using a VPC in dual-stack mode. For more information on using IPv6 with tasks launched on Fargate, see Using a VPC in dual-stack mode.
fargateTaskRetirementWaitPeriod
- When Amazon Web Services determines that a security or infrastructure update is needed for an Amazon ECS task hosted on Fargate, the tasks need to be stopped and new tasks launched to replace them. Use fargateTaskRetirementWaitPeriod
to configure the wait time to retire a Fargate task. For information about the Fargate tasks maintenance, see Amazon Web Services Fargate task maintenance in the Amazon ECS Developer Guide.
tagResourceAuthorization
- Amazon ECS is introducing tagging authorization for resource creation. Users must have permissions for actions that create the resource, such as ecsCreateCluster
. If tags are specified when you create a resource, Amazon Web Services performs additional authorization to verify if users or roles have permissions to create tags. Therefore, you must grant explicit permissions to use the ecs:TagResource
action. For more information, see Grant permission to tag resources on creation in the Amazon ECS Developer Guide.
guardDutyActivate
- The guardDutyActivate
parameter is read-only in Amazon ECS and indicates whether Amazon ECS Runtime Monitoring is enabled or disabled by your security administrator in your Amazon ECS account. Amazon GuardDuty controls this account setting on your behalf. For more information, see Protecting Amazon ECS workloads with Amazon ECS Runtime Monitoring.
The Amazon ECS resource name.
" } }, @@ -2176,11 +2176,11 @@ "Container$cpu": "The number of CPU units set for the container. The value is 0
if no value was specified in the container definition when the task definition was registered.
The hard limit (in MiB) of memory set for the container.
", "Container$memoryReservation": "The soft limit (in MiB) of memory set for the container.
", - "ContainerDefinition$name": "The name of a container. If you're linking multiple containers together in a task definition, the name
of one container can be entered in the links
of another container to connect the containers. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This parameter maps to name
in tthe docker conainer create command and the --name
option to docker run.
The image used to start a container. This string is passed directly to the Docker daemon. By default, images in the Docker Hub registry are available. Other repositories are specified with either repository-url/image:tag
or repository-url/image@digest
. Up to 255 letters (uppercase and lowercase), numbers, hyphens, underscores, colons, periods, forward slashes, and number signs are allowed. This parameter maps to Image
in the docker conainer create command and the IMAGE
parameter of docker run.
When a new task starts, the Amazon ECS container agent pulls the latest version of the specified image and tag for the container to use. However, subsequent updates to a repository image aren't propagated to already running tasks.
Images in Amazon ECR repositories can be specified by either using the full registry/repository:tag
or registry/repository@digest
. For example, 012345678910.dkr.ecr.<region-name>.amazonaws.com/<repository-name>:latest
or 012345678910.dkr.ecr.<region-name>.amazonaws.com/<repository-name>@sha256:94afd1f2e64d908bc90dbca0035a5b567EXAMPLE
.
Images in official repositories on Docker Hub use a single name (for example, ubuntu
or mongo
).
Images in other repositories on Docker Hub are qualified with an organization name (for example, amazon/amazon-ecs-agent
).
Images in other online repositories are qualified further by a domain name (for example, quay.io/assemblyline/ubuntu
).
The hostname to use for your container. This parameter maps to Hostname
in thethe docker conainer create command and the --hostname
option to docker run.
The hostname
parameter is not supported if you're using the awsvpc
network mode.
The user to use inside the container. This parameter maps to User
in the docker conainer create command and the --user
option to docker run.
When running tasks using the host
network mode, don't run containers using the root user (UID 0). We recommend using a non-root user for better security.
You can specify the user
using the following formats. If specifying a UID or GID, you must specify it as a positive integer.
user
user:group
uid
uid:gid
user:gid
uid:group
This parameter is not supported for Windows containers.
The working directory to run commands inside the container in. This parameter maps to WorkingDir
in the docker conainer create command and the --workdir
option to docker run.
The name of a container. If you're linking multiple containers together in a task definition, the name
of one container can be entered in the links
of another container to connect the containers. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This parameter maps to name
in the docker container create command and the --name
option to docker run.
The image used to start a container. This string is passed directly to the Docker daemon. By default, images in the Docker Hub registry are available. Other repositories are specified with either repository-url/image:tag
or repository-url/image@digest
. Up to 255 letters (uppercase and lowercase), numbers, hyphens, underscores, colons, periods, forward slashes, and number signs are allowed. This parameter maps to Image
in the docker container create command and the IMAGE
parameter of docker run.
When a new task starts, the Amazon ECS container agent pulls the latest version of the specified image and tag for the container to use. However, subsequent updates to a repository image aren't propagated to already running tasks.
Images in Amazon ECR repositories can be specified by either using the full registry/repository:tag
or registry/repository@digest
. For example, 012345678910.dkr.ecr.<region-name>.amazonaws.com/<repository-name>:latest
or 012345678910.dkr.ecr.<region-name>.amazonaws.com/<repository-name>@sha256:94afd1f2e64d908bc90dbca0035a5b567EXAMPLE
.
Images in official repositories on Docker Hub use a single name (for example, ubuntu
or mongo
).
Images in other repositories on Docker Hub are qualified with an organization name (for example, amazon/amazon-ecs-agent
).
Images in other online repositories are qualified further by a domain name (for example, quay.io/assemblyline/ubuntu
).
The hostname to use for your container. This parameter maps to Hostname
in the docker container create command and the --hostname
option to docker run.
The hostname
parameter is not supported if you're using the awsvpc
network mode.
The user to use inside the container. This parameter maps to User
in the docker container create command and the --user
option to docker run.
When running tasks using the host
network mode, don't run containers using the root user (UID 0). We recommend using a non-root user for better security.
You can specify the user
using the following formats. If specifying a UID or GID, you must specify it as a positive integer.
user
user:group
uid
uid:gid
user:gid
uid:group
This parameter is not supported for Windows containers.
The working directory to run commands inside the container in. This parameter maps to WorkingDir
in the docker container create command and the --workdir
option to docker run.
The name of a container.
", "ContainerInstance$containerInstanceArn": "The Amazon Resource Name (ARN) of the container instance. For more information about the ARN format, see Amazon Resource Name (ARN) in the Amazon ECS Developer Guide.
", "ContainerInstance$ec2InstanceId": "The ID of the container instance. For Amazon EC2 instances, this value is the Amazon EC2 instance ID. For external instances, this value is the Amazon Web Services Systems Manager managed instance ID.
", @@ -2243,7 +2243,7 @@ "DiscoverPollEndpointResponse$serviceConnectEndpoint": "The endpoint for the Amazon ECS agent to poll for Service Connect configuration. For more information, see Service Connect in the Amazon Elastic Container Service Developer Guide.
", "DockerLabelsMap$key": null, "DockerLabelsMap$value": null, - "DockerVolumeConfiguration$driver": "The Docker volume driver to use. The driver value must match the driver name provided by Docker because it is used for task placement. If the driver was installed using the Docker plugin CLI, use docker plugin ls
to retrieve the driver name from your container instance. If the driver was installed using another method, use Docker plugin discovery to retrieve the driver name. This parameter maps to Driver
in the docker conainer create command and the xxdriver
option to docker volume create.
The Docker volume driver to use. The driver value must match the driver name provided by Docker because it is used for task placement. If the driver was installed using the Docker plugin CLI, use docker plugin ls
to retrieve the driver name from your container instance. If the driver was installed using another method, use Docker plugin discovery to retrieve the driver name. This parameter maps to Driver
in the docker container create command and the xxdriver
option to docker volume create.
The Amazon EFS access point ID to use. If an access point is specified, the root directory value specified in the EFSVolumeConfiguration
must either be omitted or set to /
which will enforce the path set on the EFS access point. If an access point is used, transit encryption must be on in the EFSVolumeConfiguration
. For more information, see Working with Amazon EFS access points in the Amazon Elastic File System User Guide.
The Amazon EFS file system ID to use.
", "EFSVolumeConfiguration$rootDirectory": "The directory within the Amazon EFS file system to mount as the root directory inside the host. If this parameter is omitted, the root of the Amazon EFS volume will be used. Specifying /
will have the same effect as omitting this parameter.
If an EFS access point is specified in the authorizationConfig
, the root directory parameter must either be omitted or set to /
which will enforce the path set on the EFS access point.
The IDs of the subnets associated with the task or service. There's a limit of 16 subnets that can be specified per awsvpcConfiguration
.
All specified subnets must be from the same VPC.
The IDs of the security groups associated with the task or service. If you don't specify a security group, the default security group for the VPC is used. There's a limit of 5 security groups that can be specified per awsvpcConfiguration
.
All specified security groups must be from the same VPC.
The capacity providers associated with the cluster.
", - "ContainerDefinition$links": "The links
parameter allows containers to communicate with each other without the need for port mappings. This parameter is only supported if the network mode of a task definition is bridge
. The name:internalName
construct is analogous to name:alias
in Docker links. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed.. This parameter maps to Links
in the docker conainer create command and the --link
option to docker run.
This parameter is not supported for Windows containers.
Containers that are collocated on a single container instance may be able to communicate with each other without requiring links or host port mappings. Network isolation is achieved on the container instance using security groups and VPC settings.
Early versions of the Amazon ECS container agent don't properly handle entryPoint
parameters. If you have problems using entryPoint
, update your container agent or enter your commands and arguments as command
array items instead.
The entry point that's passed to the container. This parameter maps to Entrypoint
in tthe docker conainer create command and the --entrypoint
option to docker run.
The command that's passed to the container. This parameter maps to Cmd
in the docker conainer create command and the COMMAND
parameter to docker run. If there are multiple arguments, each argument is a separated string in the array.
A list of DNS servers that are presented to the container. This parameter maps to Dns
in the the docker conainer create command and the --dns
option to docker run.
This parameter is not supported for Windows containers.
A list of DNS search domains that are presented to the container. This parameter maps to DnsSearch
in the docker conainer create command and the --dns-search
option to docker run.
This parameter is not supported for Windows containers.
A list of strings to provide custom configuration for multiple security systems. This field isn't valid for containers in tasks using the Fargate launch type.
For Linux tasks on EC2, this parameter can be used to reference custom labels for SELinux and AppArmor multi-level security systems.
For any tasks on EC2, this parameter can be used to reference a credential spec file that configures a container for Active Directory authentication. For more information, see Using gMSAs for Windows Containers and Using gMSAs for Linux Containers in the Amazon Elastic Container Service Developer Guide.
This parameter maps to SecurityOpt
in the docker conainer create command and the --security-opt
option to docker run.
The Amazon ECS container agent running on a container instance must register with the ECS_SELINUX_CAPABLE=true
or ECS_APPARMOR_CAPABLE=true
environment variables before containers placed on that instance can use these security options. For more information, see Amazon ECS Container Agent Configuration in the Amazon Elastic Container Service Developer Guide.
Valid values: \"no-new-privileges\" | \"apparmor:PROFILE\" | \"label:value\" | \"credentialspec:CredentialSpecFilePath\"
", + "ContainerDefinition$links": "The links
parameter allows containers to communicate with each other without the need for port mappings. This parameter is only supported if the network mode of a task definition is bridge
. The name:internalName
construct is analogous to name:alias
in Docker links. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed.. This parameter maps to Links
in the docker container create command and the --link
option to docker run.
This parameter is not supported for Windows containers.
Containers that are collocated on a single container instance may be able to communicate with each other without requiring links or host port mappings. Network isolation is achieved on the container instance using security groups and VPC settings.
Early versions of the Amazon ECS container agent don't properly handle entryPoint
parameters. If you have problems using entryPoint
, update your container agent or enter your commands and arguments as command
array items instead.
The entry point that's passed to the container. This parameter maps to Entrypoint
in the docker container create command and the --entrypoint
option to docker run.
The command that's passed to the container. This parameter maps to Cmd
in the docker container create command and the COMMAND
parameter to docker run. If there are multiple arguments, each argument is a separated string in the array.
A list of DNS servers that are presented to the container. This parameter maps to Dns
in the docker container create command and the --dns
option to docker run.
This parameter is not supported for Windows containers.
A list of DNS search domains that are presented to the container. This parameter maps to DnsSearch
in the docker container create command and the --dns-search
option to docker run.
This parameter is not supported for Windows containers.
A list of strings to provide custom configuration for multiple security systems. This field isn't valid for containers in tasks using the Fargate launch type.
For Linux tasks on EC2, this parameter can be used to reference custom labels for SELinux and AppArmor multi-level security systems.
For any tasks on EC2, this parameter can be used to reference a credential spec file that configures a container for Active Directory authentication. For more information, see Using gMSAs for Windows Containers and Using gMSAs for Linux Containers in the Amazon Elastic Container Service Developer Guide.
This parameter maps to SecurityOpt
in the docker container create command and the --security-opt
option to docker run.
The Amazon ECS container agent running on a container instance must register with the ECS_SELINUX_CAPABLE=true
or ECS_APPARMOR_CAPABLE=true
environment variables before containers placed on that instance can use these security options. For more information, see Amazon ECS Container Agent Configuration in the Amazon Elastic Container Service Developer Guide.
Valid values: \"no-new-privileges\" | \"apparmor:PROFILE\" | \"label:value\" | \"credentialspec:CredentialSpecFilePath\"
", "ContainerDefinition$credentialSpecs": "A list of ARNs in SSM or Amazon S3 to a credential spec (CredSpec
) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the dockerSecurityOptions
. The maximum number of ARNs is 1.
There are two formats for each ARN.
You use credentialspecdomainless:MyARN
to provide a CredSpec
with an additional section for a secret in Secrets Manager. You provide the login credentials to the domain in the secret.
Each task that runs on any container instance can join different domains.
You can use this format without joining the container instance to a domain.
You use credentialspec:MyARN
to provide a CredSpec
for a single domain.
You must join the container instance to the domain before you start any tasks that use this task definition.
In both formats, replace MyARN
with the ARN in SSM or Amazon S3.
If you provide a credentialspecdomainless:MyARN
, the credspec
must provide a ARN in Secrets Manager for a secret containing the username, password, and the domain to connect to. For better security, the instance isn't joined to the domain for domainless authentication. Other applications on the instance can't use the domainless credentials. You can use this parameter to run tasks on the same instance, even it the tasks need to join different domains. For more information, see Using gMSAs for Windows Containers and Using gMSAs for Linux Containers.
The command to send to the container that overrides the default command from the Docker image or the task definition. You must also specify a container name.
", "CreateClusterRequest$capacityProviders": "The short name of one or more capacity providers to associate with the cluster. A capacity provider must be associated with a cluster before it can be included as part of the default capacity provider strategy of the cluster or used in a capacity provider strategy when calling the CreateService or RunTask actions.
If specifying a capacity provider that uses an Auto Scaling group, the capacity provider must be created but not associated with another cluster. New Auto Scaling group capacity providers can be created with the CreateCapacityProvider API operation.
To use a Fargate capacity provider, specify either the FARGATE
or FARGATE_SPOT
capacity providers. The Fargate capacity providers are available to all accounts and only need to be associated with a cluster to be used.
The PutCapacityProvider API operation is used to update the list of available capacity providers for a cluster after the cluster is created.
", @@ -2513,9 +2513,9 @@ "DescribeTaskSetsRequest$taskSets": "The ID or full Amazon Resource Name (ARN) of task sets to describe.
", "DescribeTasksRequest$tasks": "A list of up to 100 task IDs or full ARN entries.
", "GetTaskProtectionRequest$tasks": "A list of up to 100 task IDs or full ARN entries.
", - "HealthCheck$command": "A string array representing the command that the container runs to determine if it is healthy. The string array must start with CMD
to run the command arguments directly, or CMD-SHELL
to run the command with the container's default shell.
When you use the Amazon Web Services Management Console JSON panel, the Command Line Interface, or the APIs, enclose the list of commands in double quotes and brackets.
[ \"CMD-SHELL\", \"curl -f http://localhost/ || exit 1\" ]
You don't include the double quotes and brackets when you use the Amazon Web Services Management Console.
CMD-SHELL, curl -f http://localhost/ || exit 1
An exit code of 0 indicates success, and non-zero exit code indicates failure. For more information, see HealthCheck
in tthe docker conainer create command
The Linux capabilities for the container that have been added to the default configuration provided by Docker. This parameter maps to CapAdd
in the docker conainer create command and the --cap-add
option to docker run.
Tasks launched on Fargate only support adding the SYS_PTRACE
kernel capability.
Valid values: \"ALL\" | \"AUDIT_CONTROL\" | \"AUDIT_WRITE\" | \"BLOCK_SUSPEND\" | \"CHOWN\" | \"DAC_OVERRIDE\" | \"DAC_READ_SEARCH\" | \"FOWNER\" | \"FSETID\" | \"IPC_LOCK\" | \"IPC_OWNER\" | \"KILL\" | \"LEASE\" | \"LINUX_IMMUTABLE\" | \"MAC_ADMIN\" | \"MAC_OVERRIDE\" | \"MKNOD\" | \"NET_ADMIN\" | \"NET_BIND_SERVICE\" | \"NET_BROADCAST\" | \"NET_RAW\" | \"SETFCAP\" | \"SETGID\" | \"SETPCAP\" | \"SETUID\" | \"SYS_ADMIN\" | \"SYS_BOOT\" | \"SYS_CHROOT\" | \"SYS_MODULE\" | \"SYS_NICE\" | \"SYS_PACCT\" | \"SYS_PTRACE\" | \"SYS_RAWIO\" | \"SYS_RESOURCE\" | \"SYS_TIME\" | \"SYS_TTY_CONFIG\" | \"SYSLOG\" | \"WAKE_ALARM\"
The Linux capabilities for the container that have been removed from the default configuration provided by Docker. This parameter maps to CapDrop
in the docker conainer create command and the --cap-drop
option to docker run.
Valid values: \"ALL\" | \"AUDIT_CONTROL\" | \"AUDIT_WRITE\" | \"BLOCK_SUSPEND\" | \"CHOWN\" | \"DAC_OVERRIDE\" | \"DAC_READ_SEARCH\" | \"FOWNER\" | \"FSETID\" | \"IPC_LOCK\" | \"IPC_OWNER\" | \"KILL\" | \"LEASE\" | \"LINUX_IMMUTABLE\" | \"MAC_ADMIN\" | \"MAC_OVERRIDE\" | \"MKNOD\" | \"NET_ADMIN\" | \"NET_BIND_SERVICE\" | \"NET_BROADCAST\" | \"NET_RAW\" | \"SETFCAP\" | \"SETGID\" | \"SETPCAP\" | \"SETUID\" | \"SYS_ADMIN\" | \"SYS_BOOT\" | \"SYS_CHROOT\" | \"SYS_MODULE\" | \"SYS_NICE\" | \"SYS_PACCT\" | \"SYS_PTRACE\" | \"SYS_RAWIO\" | \"SYS_RESOURCE\" | \"SYS_TIME\" | \"SYS_TTY_CONFIG\" | \"SYSLOG\" | \"WAKE_ALARM\"
A string array representing the command that the container runs to determine if it is healthy. The string array must start with CMD
to run the command arguments directly, or CMD-SHELL
to run the command with the container's default shell.
When you use the Amazon Web Services Management Console JSON panel, the Command Line Interface, or the APIs, enclose the list of commands in double quotes and brackets.
[ \"CMD-SHELL\", \"curl -f http://localhost/ || exit 1\" ]
You don't include the double quotes and brackets when you use the Amazon Web Services Management Console.
CMD-SHELL, curl -f http://localhost/ || exit 1
An exit code of 0 indicates success, and non-zero exit code indicates failure. For more information, see HealthCheck
in the docker container create command
The Linux capabilities for the container that have been added to the default configuration provided by Docker. This parameter maps to CapAdd
in the docker container create command and the --cap-add
option to docker run.
Tasks launched on Fargate only support adding the SYS_PTRACE
kernel capability.
Valid values: \"ALL\" | \"AUDIT_CONTROL\" | \"AUDIT_WRITE\" | \"BLOCK_SUSPEND\" | \"CHOWN\" | \"DAC_OVERRIDE\" | \"DAC_READ_SEARCH\" | \"FOWNER\" | \"FSETID\" | \"IPC_LOCK\" | \"IPC_OWNER\" | \"KILL\" | \"LEASE\" | \"LINUX_IMMUTABLE\" | \"MAC_ADMIN\" | \"MAC_OVERRIDE\" | \"MKNOD\" | \"NET_ADMIN\" | \"NET_BIND_SERVICE\" | \"NET_BROADCAST\" | \"NET_RAW\" | \"SETFCAP\" | \"SETGID\" | \"SETPCAP\" | \"SETUID\" | \"SYS_ADMIN\" | \"SYS_BOOT\" | \"SYS_CHROOT\" | \"SYS_MODULE\" | \"SYS_NICE\" | \"SYS_PACCT\" | \"SYS_PTRACE\" | \"SYS_RAWIO\" | \"SYS_RESOURCE\" | \"SYS_TIME\" | \"SYS_TTY_CONFIG\" | \"SYSLOG\" | \"WAKE_ALARM\"
The Linux capabilities for the container that have been removed from the default configuration provided by Docker. This parameter maps to CapDrop
in the docker container create command and the --cap-drop
option to docker run.
Valid values: \"ALL\" | \"AUDIT_CONTROL\" | \"AUDIT_WRITE\" | \"BLOCK_SUSPEND\" | \"CHOWN\" | \"DAC_OVERRIDE\" | \"DAC_READ_SEARCH\" | \"FOWNER\" | \"FSETID\" | \"IPC_LOCK\" | \"IPC_OWNER\" | \"KILL\" | \"LEASE\" | \"LINUX_IMMUTABLE\" | \"MAC_ADMIN\" | \"MAC_OVERRIDE\" | \"MKNOD\" | \"NET_ADMIN\" | \"NET_BIND_SERVICE\" | \"NET_BROADCAST\" | \"NET_RAW\" | \"SETFCAP\" | \"SETGID\" | \"SETPCAP\" | \"SETUID\" | \"SYS_ADMIN\" | \"SYS_BOOT\" | \"SYS_CHROOT\" | \"SYS_MODULE\" | \"SYS_NICE\" | \"SYS_PACCT\" | \"SYS_PTRACE\" | \"SYS_RAWIO\" | \"SYS_RESOURCE\" | \"SYS_TIME\" | \"SYS_TTY_CONFIG\" | \"SYSLOG\" | \"WAKE_ALARM\"
The list of full Amazon Resource Name (ARN) entries for each cluster that's associated with your account.
", "ListContainerInstancesResponse$containerInstanceArns": "The list of container instances with full ARN entries for each container instance associated with the specified cluster.
", "ListServicesByNamespaceResponse$serviceArns": "The list of full ARN entries for each service that's associated with the specified namespace.
", @@ -2535,7 +2535,7 @@ "base": null, "refs": { "DockerVolumeConfiguration$driverOpts": "A map of Docker driver-specific options passed through. This parameter maps to DriverOpts
in the docker create-volume command and the xxopt
option to docker volume create.
Custom metadata to add to your Docker volume. This parameter maps to Labels
in the docker conainer create command and the xxlabel
option to docker volume create.
Custom metadata to add to your Docker volume. This parameter maps to Labels
in the docker container create command and the xxlabel
option to docker volume create.
A list of namespaced kernel parameters to set in the container. This parameter maps to Sysctls
in tthe docker conainer create command and the --sysctl
option to docker run. For example, you can configure net.ipv4.tcp_keepalive_time
setting to maintain longer lived connections.
We don't recommend that you specify network-related systemControls
parameters for multiple containers in a single task that also uses either the awsvpc
or host
network mode. Doing this has the following disadvantages:
For tasks that use the awsvpc
network mode including Fargate, if you set systemControls
for any container, it applies to all containers in the task. If you set different systemControls
for multiple containers in a single task, the container that's started last determines which systemControls
take effect.
For tasks that use the host
network mode, the network namespace systemControls
aren't supported.
If you're setting an IPC resource namespace to use for the containers in the task, the following conditions apply to your system controls. For more information, see IPC mode.
For tasks that use the host
IPC mode, IPC namespace systemControls
aren't supported.
For tasks that use the task
IPC mode, IPC namespace systemControls
values apply to all containers within a task.
This parameter is not supported for Windows containers.
This parameter is only supported for tasks that are hosted on Fargate if the tasks are using platform version 1.4.0
or later (Linux). This isn't supported for Windows containers on Fargate.
A list of namespaced kernel parameters to set in the container. This parameter maps to Sysctls
in the docker container create command and the --sysctl
option to docker run. For example, you can configure net.ipv4.tcp_keepalive_time
setting to maintain longer lived connections.
We don't recommend that you specify network-related systemControls
parameters for multiple containers in a single task that also uses either the awsvpc
or host
network mode. Doing this has the following disadvantages:
For tasks that use the awsvpc
network mode including Fargate, if you set systemControls
for any container, it applies to all containers in the task. If you set different systemControls
for multiple containers in a single task, the container that's started last determines which systemControls
take effect.
For tasks that use the host
network mode, the network namespace systemControls
aren't supported.
If you're setting an IPC resource namespace to use for the containers in the task, the following conditions apply to your system controls. For more information, see IPC mode.
For tasks that use the host
IPC mode, IPC namespace systemControls
aren't supported.
For tasks that use the task
IPC mode, IPC namespace systemControls
values apply to all containers within a task.
This parameter is not supported for Windows containers.
This parameter is only supported for tasks that are hosted on Fargate if the tasks are using platform version 1.4.0
or later (Linux). This isn't supported for Windows containers on Fargate.
A list of namespaced kernel parameters to set in the container. This parameter maps to Sysctls
in tthe docker conainer create command and the --sysctl
option to docker run. For example, you can configure net.ipv4.tcp_keepalive_time
setting to maintain longer lived connections.
A list of namespaced kernel parameters to set in the container. This parameter maps to Sysctls
in the docker container create command and the --sysctl
option to docker run. For example, you can configure net.ipv4.tcp_keepalive_time
setting to maintain longer lived connections.
A list of ulimits
to set in the container. If a ulimit
value is specified in a task definition, it overrides the default values set by Docker. This parameter maps to Ulimits
in tthe docker conainer create command and the --ulimit
option to docker run. Valid naming values are displayed in the Ulimit data type.
Amazon ECS tasks hosted on Fargate use the default resource limit values set by the operating system with the exception of the nofile
resource limit parameter which Fargate overrides. The nofile
resource limit sets a restriction on the number of open files that a container can use. The default nofile
soft limit is 65535
and the default hard limit is 65535
.
This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: sudo docker version --format '{{.Server.APIVersion}}'
This parameter is not supported for Windows containers.
A list of ulimits
to set in the container. If a ulimit
value is specified in a task definition, it overrides the default values set by Docker. This parameter maps to Ulimits
in the docker container create command and the --ulimit
option to docker run. Valid naming values are displayed in the Ulimit data type.
Amazon ECS tasks hosted on Fargate use the default resource limit values set by the operating system with the exception of the nofile
resource limit parameter which Fargate overrides. The nofile
resource limit sets a restriction on the number of open files that a container can use. The default nofile
soft limit is 65535
and the default hard limit is 65535
.
This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: sudo docker version --format '{{.Server.APIVersion}}'
This parameter is not supported for Windows containers.
Data volumes to mount from another container. This parameter maps to VolumesFrom
in tthe docker conainer create command and the --volumes-from
option to docker run.
Data volumes to mount from another container. This parameter maps to VolumesFrom
in the docker container create command and the --volumes-from
option to docker run.
Deletes a Lambda function URL. When you delete a function URL, you can't recover it. Creating a new function URL results in a different URL address.
", "DeleteLayerVersion": "Deletes a version of an Lambda layer. Deleted versions can no longer be viewed or added to functions. To avoid breaking functions, a copy of the version remains in Lambda until no functions refer to it.
", "DeleteProvisionedConcurrencyConfig": "Deletes the provisioned concurrency configuration for a function.
", + "DeleteResourcePolicy": "Deletes a resource-based policy from a function.
", "GetAccountSettings": "Retrieves details about your account's limits and usage in an Amazon Web Services Region.
", "GetAlias": "Returns details about a Lambda function alias.
", "GetCodeSigningConfig": "Returns information about the specified code signing configuration.
", @@ -35,6 +36,8 @@ "GetLayerVersionPolicy": "Returns the permission policy for a version of an Lambda layer. For more information, see AddLayerVersionPermission.
", "GetPolicy": "Returns the resource-based IAM policy for a function, version, or alias.
", "GetProvisionedConcurrencyConfig": "Retrieves the provisioned concurrency configuration for a function's alias or version.
", + "GetPublicAccessBlockConfig": "Retrieve the public-access settings for a function.
", + "GetResourcePolicy": "Retrieves the resource-based policy attached to a function.
", "GetRuntimeManagementConfig": "Retrieves the runtime management configuration for a function's version. If the runtime update mode is Manual, this includes the ARN of the runtime version and the runtime update mode. If the runtime update mode is Auto or Function update, this includes the runtime update mode and null
is returned for the ARN. For more information, see Runtime updates.
Invokes a Lambda function. You can invoke a function synchronously (and wait for the response), or asynchronously. By default, Lambda invokes your function synchronously (i.e. theInvocationType
is RequestResponse
). To invoke a function asynchronously, set InvocationType
to Event
. Lambda passes the ClientContext
object to your function for synchronous invocations only.
For synchronous invocation, details about the function response, including errors, are included in the response body and headers. For either invocation type, you can find more information in the execution log and trace.
When an error occurs, your function may be invoked multiple times. Retry behavior varies by error type, client, event source, and invocation type. For example, if you invoke a function asynchronously and it returns an error, Lambda executes the function up to two more times. For more information, see Error handling and automatic retries in Lambda.
For asynchronous invocation, Lambda adds events to a queue before sending them to your function. If your function does not have enough capacity to keep up with the queue, events may be lost. Occasionally, your function may receive the same event multiple times, even if no error occurs. To retain events that were not processed, configure your function with a dead-letter queue.
The status code in the API response doesn't reflect function errors. Error codes are reserved for errors that prevent your function from executing, such as permissions errors, quota errors, or issues with your function's code and configuration. For example, Lambda returns TooManyRequestsException
if running the function would cause you to exceed a concurrency limit at either the account level (ConcurrentInvocationLimitExceeded
) or function level (ReservedFunctionConcurrentInvocationLimitExceeded
).
For functions with a long timeout, your client might disconnect during synchronous invocation while it waits for a response. Configure your HTTP client, SDK, firewall, proxy, or operating system to allow for long connections with timeout or keep-alive settings.
This operation requires permission for the lambda:InvokeFunction action. For details on how to set up permissions for cross-account invocations, see Granting function access to other accounts.
", "InvokeAsync": "For asynchronous function invocation, use Invoke.
Invokes a function asynchronously.
If you do use the InvokeAsync action, note that it doesn't support the use of X-Ray active tracing. Trace ID is not propagated to the function, even if X-Ray active tracing is turned on.
Configures options for asynchronous invocation on a function, version, or alias. If a configuration already exists for a function, version, or alias, this operation overwrites it. If you exclude any settings, they are removed. To set one option without affecting existing settings for other options, use UpdateFunctionEventInvokeConfig.
By default, Lambda retries an asynchronous invocation twice if the function returns an error. It retains events in a queue for up to six hours. When an event fails all processing attempts or stays in the asynchronous invocation queue for too long, Lambda discards it. To retain discarded events, configure a dead-letter queue with UpdateFunctionConfiguration.
To send an invocation record to a queue, topic, function, or event bus, specify a destination. You can configure separate destinations for successful invocations (on-success) and events that fail all processing attempts (on-failure). You can configure destinations in addition to or instead of a dead-letter queue.
", "PutFunctionRecursionConfig": "Sets your function's recursive loop detection configuration.
When you configure a Lambda function to output to the same service or resource that invokes the function, it's possible to create an infinite recursive loop. For example, a Lambda function might write a message to an Amazon Simple Queue Service (Amazon SQS) queue, which then invokes the same function. This invocation causes the function to write another message to the queue, which in turn invokes the function again.
Lambda can detect certain types of recursive loops shortly after they occur. When Lambda detects a recursive loop and your function's recursive loop detection configuration is set to Terminate
, it stops your function being invoked and notifies you.
Adds a provisioned concurrency configuration to a function's alias or version.
", + "PutPublicAccessBlockConfig": "Configure your function's public-access settings.
To control public access to a Lambda function, you can choose whether to allow the creation of resource-based policies that allow public access to that function. You can also block public access to a function, even if it has an existing resource-based policy that allows it.
", + "PutResourcePolicy": "Adds a resource-based policy to a function. You can use resource-based policies to grant access to other Amazon Web Services accounts, organizations, or services. Resource-based policies apply to a single function, version, or alias.
Adding a resource-based policy using this API action replaces any existing policy you've previously created. This means that if you've previously added resource-based permissions to a function using the AddPermission action, those permissions will be overwritten by your new policy.
Sets the runtime management configuration for a function's version. For more information, see Runtime updates.
", "RemoveLayerVersionPermission": "Removes a statement from the permissions policy for a version of an Lambda layer. For more information, see AddLayerVersionPermission.
", "RemovePermission": "Revokes function-use permission from an Amazon Web Servicesservice or another Amazon Web Services account. You can get the ID of the statement from the output of GetPolicy.
", @@ -482,6 +487,11 @@ "refs": { } }, + "DeleteResourcePolicyRequest": { + "base": null, + "refs": { + } + }, "Description": { "base": null, "refs": { @@ -1042,6 +1052,26 @@ "refs": { } }, + "GetPublicAccessBlockConfigRequest": { + "base": null, + "refs": { + } + }, + "GetPublicAccessBlockConfigResponse": { + "base": null, + "refs": { + } + }, + "GetResourcePolicyRequest": { + "base": null, + "refs": { + } + }, + "GetResourcePolicyResponse": { + "base": null, + "refs": { + } + }, "GetRuntimeManagementConfigRequest": { "base": null, "refs": { @@ -1694,6 +1724,8 @@ "NullableBoolean": { "base": null, "refs": { + "PublicAccessBlockConfig$BlockPublicPolicy": "To block the creation of resource-based policies that would grant public access to your function, set BlockPublicPolicy
to true
. To allow the creation of resource-based policies that would grant public access to your function, set BlockPublicPolicy
to false
.
To block public access to your function, even if its resource-based policy allows it, set RestrictPublicResource
to true
. To allow public access to a function with a resource-based policy that permits it, set RestrictPublicResource
to false
.
Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets.
", "VpcConfigResponse$Ipv6AllowedForDualStack": "Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets.
" } @@ -1748,6 +1780,14 @@ "refs": { } }, + "PolicyResourceArn": { + "base": null, + "refs": { + "DeleteResourcePolicyRequest$ResourceArn": "The Amazon Resource Name (ARN) of the function you want to delete the policy from. You can use either a qualified or an unqualified ARN, but the value you specify must be a complete ARN and wildcard characters are not accepted.
", + "GetResourcePolicyRequest$ResourceArn": "The Amazon Resource Name (ARN) of the function you want to retrieve the policy for. You can use either a qualified or an unqualified ARN, but the value you specify must be a complete ARN and wildcard characters are not accepted.
", + "PutResourcePolicyRequest$ResourceArn": "The Amazon Resource Name (ARN) of the function you want to add the policy to. You can use either a qualified or an unqualified ARN, but the value you specify must be a complete ARN and wildcard characters are not accepted.
" + } + }, "PositiveInteger": { "base": null, "refs": { @@ -1799,6 +1839,26 @@ "PutProvisionedConcurrencyConfigResponse$Status": "The status of the allocation process.
" } }, + "PublicAccessBlockConfig": { + "base": "An object that defines the public-access settings for a function.
", + "refs": { + "GetPublicAccessBlockConfigResponse$PublicAccessBlockConfig": "The public-access settings configured for the function you specified
", + "PutPublicAccessBlockConfigRequest$PublicAccessBlockConfig": "An object defining the public-access settings you want to apply.
To block the creation of resource-based policies that would grant public access to your function, set BlockPublicPolicy
to true
. To allow the creation of resource-based policies that would grant public access to your function, set BlockPublicPolicy
to false
.
To block public access to your function, even if its resource-based policy allows it, set RestrictPublicResource
to true
. To allow public access to a function with a resource-based policy that permits it, set RestrictPublicResource
to false
.
The default setting for both BlockPublicPolicy
and RestrictPublicResource
is true
.
The public-access settings Lambda applied to your function.
" + } + }, + "PublicAccessBlockResourceArn": { + "base": null, + "refs": { + "GetPublicAccessBlockConfigRequest$ResourceArn": "The Amazon Resource Name (ARN) of the function you want to retrieve public-access settings for.
", + "PutPublicAccessBlockConfigRequest$ResourceArn": "The Amazon Resource Name (ARN) of the function you want to configure public-access settings for. Public-access settings are applied at the function level, so you can't apply different settings to function versions or aliases.
" + } + }, + "PublicPolicyException": { + "base": "Lambda prevented your policy from being created because it would grant public access to your function. If you intended to create a public policy, use the PutPublicAccessBlockConfig API action to configure your function's public-access settings to allow public policies.
", + "refs": { + } + }, "PublishLayerVersionRequest": { "base": null, "refs": { @@ -1854,6 +1914,26 @@ "refs": { } }, + "PutPublicAccessBlockConfigRequest": { + "base": null, + "refs": { + } + }, + "PutPublicAccessBlockConfigResponse": { + "base": null, + "refs": { + } + }, + "PutResourcePolicyRequest": { + "base": null, + "refs": { + } + }, + "PutResourcePolicyResponse": { + "base": null, + "refs": { + } + }, "PutRuntimeManagementConfigRequest": { "base": null, "refs": { @@ -1961,12 +2041,29 @@ "refs": { } }, + "ResourcePolicy": { + "base": null, + "refs": { + "GetResourcePolicyResponse$Policy": "The resource-based policy attached to the function you specified.
", + "PutResourcePolicyRequest$Policy": "The JSON resource-based policy you want to add to your function.
To learn more about creating resource-based policies for controlling access to Lambda, see Working with resource-based IAM policies in Lambda in the Lambda Developer Guide.
", + "PutResourcePolicyResponse$Policy": "The policy Lambda added to your function.
" + } + }, "ResponseStreamingInvocationType": { "base": null, "refs": { "InvokeWithResponseStreamRequest$InvocationType": "Use one of the following options:
RequestResponse
(default) – Invoke the function synchronously. Keep the connection open until the function returns a response or times out. The API operation response includes the function response and additional data.
DryRun
– Validate parameter values and verify that the IAM user or role has permission to invoke the function.
Delete the existing policy only if its revision ID matches the string you specify. To find the revision ID of the policy currently attached to your function, use the GetResourcePolicy action.
", + "GetResourcePolicyResponse$RevisionId": "The revision ID of the policy.
", + "PutResourcePolicyRequest$RevisionId": "Replace the existing policy only if its revision ID matches the string you specify. To find the revision ID of the policy currently attached to your function, use the GetResourcePolicy action.
", + "PutResourcePolicyResponse$RevisionId": "The revision ID of the policy Lambda added to your function.
" + } + }, "RoleArn": { "base": null, "refs": { @@ -2293,6 +2390,8 @@ "ProvisionedConcurrencyConfigListItem$StatusReason": "For failed allocations, the reason that provisioned concurrency could not be allocated.
", "ProvisionedConcurrencyConfigNotFoundException$Type": null, "ProvisionedConcurrencyConfigNotFoundException$message": null, + "PublicPolicyException$Type": "The exception type.
", + "PublicPolicyException$Message": null, "PublishVersionRequest$CodeSha256": "Only publish a version if the hash value matches the value that's specified. Use this option to avoid publishing a version if the function code has changed since you last updated it. You can get the hash for the version that you uploaded from the output of UpdateFunctionCode.
", "PublishVersionRequest$RevisionId": "Only update the function if the revision ID matches the ID that's specified. Use this option to avoid publishing a version if the function configuration has changed since you last updated it.
", "PutProvisionedConcurrencyConfigResponse$StatusReason": "For failed allocations, the reason that provisioned concurrency could not be allocated.
", diff --git a/apis/rds/2014-10-31/docs-2.json b/apis/rds/2014-10-31/docs-2.json index af07b428462..9efe4763781 100644 --- a/apis/rds/2014-10-31/docs-2.json +++ b/apis/rds/2014-10-31/docs-2.json @@ -4725,7 +4725,7 @@ "CreateDBInstanceMessage$DBParameterGroupName": "The name of the DB parameter group to associate with this DB instance. If you don't specify a value, then Amazon RDS uses the default DB parameter group for the specified DB engine and version.
This setting doesn't apply to RDS Custom DB instances.
Constraints:
Must be 1 to 255 letters, numbers, or hyphens.
The first character must be a letter.
Can't end with a hyphen or contain two consecutive hyphens.
The daily time range during which automated backups are created if automated backups are enabled, using the BackupRetentionPeriod
parameter. The default is a 30-minute window selected at random from an 8-hour block of time for each Amazon Web Services Region. For more information, see Backup window in the Amazon RDS User Guide.
This setting doesn't apply to Amazon Aurora DB instances. The daily time range for creating automated backups is managed by the DB cluster.
Constraints:
Must be in the format hh24:mi-hh24:mi
.
Must be in Universal Coordinated Time (UTC).
Must not conflict with the preferred maintenance window.
Must be at least 30 minutes.
The version number of the database engine to use.
This setting doesn't apply to Amazon Aurora DB instances. The version number of the database engine the DB instance uses is managed by the DB cluster.
For a list of valid engine versions, use the DescribeDBEngineVersions
operation.
The following are the database engines and links to information about the major and minor versions that are available with Amazon RDS. Not every database engine is available for every Amazon Web Services Region.
A custom engine version (CEV) that you have previously created. This setting is required for RDS Custom for Oracle. The CEV name has the following format: 19.customized_string. A valid CEV name is 19.my_cev1
. For more information, see Creating an RDS Custom for Oracle DB instance in the Amazon RDS User Guide.
See RDS Custom for SQL Server general requirements in the Amazon RDS User Guide.
For information, see Db2 on Amazon RDS versions in the Amazon RDS User Guide.
For information, see MariaDB on Amazon RDS versions in the Amazon RDS User Guide.
For information, see Microsoft SQL Server versions on Amazon RDS in the Amazon RDS User Guide.
For information, see MySQL on Amazon RDS versions in the Amazon RDS User Guide.
For information, see Oracle Database Engine release notes in the Amazon RDS User Guide.
For information, see Amazon RDS for PostgreSQL versions and extensions in the Amazon RDS User Guide.
The license model information for this DB instance.
License models for RDS for Db2 require additional configuration. The Bring Your Own License (BYOL) model requires a custom parameter group. The Db2 license through Amazon Web Services Marketplace model requires an Amazon Web Services Marketplace subscription. For more information, see RDS for Db2 licensing options in the Amazon RDS User Guide.
The default for RDS for Db2 is bring-your-own-license
.
This setting doesn't apply to Amazon Aurora or RDS Custom DB instances.
Valid Values:
RDS for Db2 - bring-your-own-license | marketplace-license
RDS for MariaDB - general-public-license
RDS for Microsoft SQL Server - license-included
RDS for MySQL - general-public-license
RDS for Oracle - bring-your-own-license | license-included
RDS for PostgreSQL - postgresql-license
The license model information for this DB instance.
License models for RDS for Db2 require additional configuration. The Bring Your Own License (BYOL) model requires a custom parameter group and an Amazon Web Services License Manager self-managed license. The Db2 license through Amazon Web Services Marketplace model requires an Amazon Web Services Marketplace subscription. For more information, see Amazon RDS for Db2 licensing options in the Amazon RDS User Guide.
The default for RDS for Db2 is bring-your-own-license
.
This setting doesn't apply to Amazon Aurora or RDS Custom DB instances.
Valid Values:
RDS for Db2 - bring-your-own-license | marketplace-license
RDS for MariaDB - general-public-license
RDS for Microsoft SQL Server - license-included
RDS for MySQL - general-public-license
RDS for Oracle - bring-your-own-license | license-included
RDS for PostgreSQL - postgresql-license
The option group to associate the DB instance with.
Permanent options, such as the TDE option for Oracle Advanced Security TDE, can't be removed from an option group. Also, that option group can't be removed from a DB instance after it is associated with a DB instance.
This setting doesn't apply to Amazon Aurora or RDS Custom DB instances.
", "CreateDBInstanceMessage$CharacterSetName": "For supported engines, the character set (CharacterSet
) to associate the DB instance with.
This setting doesn't apply to the following DB instances:
Amazon Aurora - The character set is managed by the DB cluster. For more information, see CreateDBCluster
.
RDS Custom - However, if you need to change the character set, you can change it on the database itself.
The name of the NCHAR character set for the Oracle DB instance.
This setting doesn't apply to RDS Custom DB instances.
", @@ -5583,7 +5583,7 @@ "RestoreDBInstanceFromDBSnapshotMessage$DBInstanceClass": "The compute and memory capacity of the Amazon RDS DB instance, for example db.m4.large. Not all DB instance classes are available in all Amazon Web Services Regions, or for all database engines. For the full list of DB instance classes, and availability for your engine, see DB Instance Class in the Amazon RDS User Guide.
Default: The same DBInstanceClass as the original DB instance.
", "RestoreDBInstanceFromDBSnapshotMessage$AvailabilityZone": "The Availability Zone (AZ) where the DB instance will be created.
Default: A random, system-chosen Availability Zone.
Constraint: You can't specify the AvailabilityZone
parameter if the DB instance is a Multi-AZ deployment.
Example: us-east-1a
The name of the DB subnet group to use for the new instance.
Constraints:
If supplied, must match the name of an existing DB subnet group.
Example: mydbsubnetgroup
License model information for the restored DB instance.
License models for RDS for Db2 require additional configuration. The Bring Your Own License (BYOL) model requires a custom parameter group. The Db2 license through Amazon Web Services Marketplace model requires an Amazon Web Services Marketplace subscription. For more information, see RDS for Db2 licensing options in the Amazon RDS User Guide.
This setting doesn't apply to Amazon Aurora or RDS Custom DB instances.
Valid Values:
RDS for Db2 - bring-your-own-license | marketplace-license
RDS for MariaDB - general-public-license
RDS for Microsoft SQL Server - license-included
RDS for MySQL - general-public-license
RDS for Oracle - bring-your-own-license | license-included
RDS for PostgreSQL - postgresql-license
Default: Same as the source.
", + "RestoreDBInstanceFromDBSnapshotMessage$LicenseModel": "License model information for the restored DB instance.
License models for RDS for Db2 require additional configuration. The Bring Your Own License (BYOL) model requires a custom parameter group and an Amazon Web Services License Manager self-managed license. The Db2 license through Amazon Web Services Marketplace model requires an Amazon Web Services Marketplace subscription. For more information, see Amazon RDS for Db2 licensing options in the Amazon RDS User Guide.
This setting doesn't apply to Amazon Aurora or RDS Custom DB instances.
Valid Values:
RDS for Db2 - bring-your-own-license | marketplace-license
RDS for MariaDB - general-public-license
RDS for Microsoft SQL Server - license-included
RDS for MySQL - general-public-license
RDS for Oracle - bring-your-own-license | license-included
RDS for PostgreSQL - postgresql-license
Default: Same as the source.
", "RestoreDBInstanceFromDBSnapshotMessage$DBName": "The name of the database for the restored DB instance.
This parameter only applies to RDS for Oracle and RDS for SQL Server DB instances. It doesn't apply to the other engines or to RDS Custom DB instances.
", "RestoreDBInstanceFromDBSnapshotMessage$Engine": "The database engine to use for the new instance.
This setting doesn't apply to RDS Custom.
Default: The same as source
Constraint: Must be compatible with the engine of the source. For example, you can restore a MariaDB 10.1 DB instance from a MySQL 5.6 snapshot.
Valid Values:
db2-ae
db2-se
mariadb
mysql
oracle-ee
oracle-ee-cdb
oracle-se2
oracle-se2-cdb
postgres
sqlserver-ee
sqlserver-se
sqlserver-ex
sqlserver-web
The name of the option group to be used for the restored DB instance.
Permanent options, such as the TDE option for Oracle Advanced Security TDE, can't be removed from an option group, and that option group can't be removed from a DB instance after it is associated with a DB instance.
This setting doesn't apply to RDS Custom.
", @@ -5634,7 +5634,7 @@ "RestoreDBInstanceToPointInTimeMessage$DBInstanceClass": "The compute and memory capacity of the Amazon RDS DB instance, for example db.m4.large. Not all DB instance classes are available in all Amazon Web Services Regions, or for all database engines. For the full list of DB instance classes, and availability for your engine, see DB Instance Class in the Amazon RDS User Guide.
Default: The same DB instance class as the original DB instance.
", "RestoreDBInstanceToPointInTimeMessage$AvailabilityZone": "The Availability Zone (AZ) where the DB instance will be created.
Default: A random, system-chosen Availability Zone.
Constraints:
You can't specify the AvailabilityZone
parameter if the DB instance is a Multi-AZ deployment.
Example: us-east-1a
The DB subnet group name to use for the new instance.
Constraints:
If supplied, must match the name of an existing DB subnet group.
Example: mydbsubnetgroup
The license model information for the restored DB instance.
License models for RDS for Db2 require additional configuration. The Bring Your Own License (BYOL) model requires a custom parameter group. The Db2 license through Amazon Web Services Marketplace model requires an Amazon Web Services Marketplace subscription. For more information, see RDS for Db2 licensing options in the Amazon RDS User Guide.
This setting doesn't apply to Amazon Aurora or RDS Custom DB instances.
Valid Values:
RDS for Db2 - bring-your-own-license | marketplace-license
RDS for MariaDB - general-public-license
RDS for Microsoft SQL Server - license-included
RDS for MySQL - general-public-license
RDS for Oracle - bring-your-own-license | license-included
RDS for PostgreSQL - postgresql-license
Default: Same as the source.
", + "RestoreDBInstanceToPointInTimeMessage$LicenseModel": "The license model information for the restored DB instance.
License models for RDS for Db2 require additional configuration. The Bring Your Own License (BYOL) model requires a custom parameter group and an Amazon Web Services License Manager self-managed license. The Db2 license through Amazon Web Services Marketplace model requires an Amazon Web Services Marketplace subscription. For more information, see Amazon RDS for Db2 licensing options in the Amazon RDS User Guide.
This setting doesn't apply to Amazon Aurora or RDS Custom DB instances.
Valid Values:
RDS for Db2 - bring-your-own-license | marketplace-license
RDS for MariaDB - general-public-license
RDS for Microsoft SQL Server - license-included
RDS for MySQL - general-public-license
RDS for Oracle - bring-your-own-license | license-included
RDS for PostgreSQL - postgresql-license
Default: Same as the source.
", "RestoreDBInstanceToPointInTimeMessage$DBName": "The database name for the restored DB instance.
This parameter doesn't apply to the following DB instances:
RDS Custom
RDS for Db2
RDS for MariaDB
RDS for MySQL
The database engine to use for the new instance.
This setting doesn't apply to RDS Custom.
Valid Values:
db2-ae
db2-se
mariadb
mysql
oracle-ee
oracle-ee-cdb
oracle-se2
oracle-se2-cdb
postgres
sqlserver-ee
sqlserver-se
sqlserver-ex
sqlserver-web
Default: The same as source
Constraints:
Must be compatible with the engine of the source.
The name of the option group to use for the restored DB instance.
Permanent options, such as the TDE option for Oracle Advanced Security TDE, can't be removed from an option group, and that option group can't be removed from a DB instance after it is associated with a DB instance
This setting doesn't apply to RDS Custom.
", diff --git a/apis/ssm/2014-11-06/api-2.json b/apis/ssm/2014-11-06/api-2.json index 34b694fcea6..5b966fcaf46 100644 --- a/apis/ssm/2014-11-06/api-2.json +++ b/apis/ssm/2014-11-06/api-2.json @@ -2777,6 +2777,7 @@ "ProgressCounters":{"shape":"ProgressCounters"}, "AlarmConfiguration":{"shape":"AlarmConfiguration"}, "TriggeredAlarms":{"shape":"AlarmStateInformationList"}, + "TargetLocationsURL":{"shape":"TargetLocationsURL"}, "AutomationSubtype":{"shape":"AutomationSubtype"}, "ScheduledTime":{"shape":"DateTime"}, "Runbooks":{"shape":"Runbooks"}, @@ -2870,6 +2871,7 @@ "AutomationType":{"shape":"AutomationType"}, "AlarmConfiguration":{"shape":"AlarmConfiguration"}, "TriggeredAlarms":{"shape":"AlarmStateInformationList"}, + "TargetLocationsURL":{"shape":"TargetLocationsURL"}, "AutomationSubtype":{"shape":"AutomationSubtype"}, "ScheduledTime":{"shape":"DateTime"}, "Runbooks":{"shape":"Runbooks"}, @@ -5107,6 +5109,18 @@ "member":{"shape":"EffectivePatch"} }, "ErrorCount":{"type":"integer"}, + "ExcludeAccount":{ + "type":"string", + "max":68, + "min":6, + "pattern":"^(ou-[a-z0-9]{4,32}-[a-z0-9]{8,32})|(\\d{12})$" + }, + "ExcludeAccounts":{ + "type":"list", + "member":{"shape":"ExcludeAccount"}, + "max":5000, + "min":1 + }, "ExecutionMode":{ "type":"string", "enum":[ @@ -10283,7 +10297,8 @@ "box":true }, "Tags":{"shape":"TagList"}, - "AlarmConfiguration":{"shape":"AlarmConfiguration"} + "AlarmConfiguration":{"shape":"AlarmConfiguration"}, + "TargetLocationsURL":{"shape":"TargetLocationsURL"} } }, "StartAutomationExecutionResult":{ @@ -10562,7 +10577,12 @@ "TargetLocationAlarmConfiguration":{ "shape":"AlarmConfiguration", "box":true - } + }, + "IncludeChildOrganizationUnits":{"shape":"Boolean"}, + "ExcludeAccounts":{"shape":"ExcludeAccounts"}, + "Targets":{"shape":"Targets"}, + "TargetsMaxConcurrency":{"shape":"MaxConcurrency"}, + "TargetsMaxErrors":{"shape":"MaxErrors"} } }, "TargetLocations":{ @@ -10571,6 +10591,10 @@ "max":100, "min":1 }, + "TargetLocationsURL":{ + "type":"string", + "pattern":"^https:\\/\\/[-a-zA-Z0-9@:%._\\+~#=]{1,253}\\.s3(\\.[a-z\\d-]{9,16})?\\.amazonaws\\.com\\/.{1,2000}" + }, "TargetMap":{ "type":"map", "key":{"shape":"TargetMapKey"}, diff --git a/apis/ssm/2014-11-06/docs-2.json b/apis/ssm/2014-11-06/docs-2.json index 8ed18bd6250..350ec3fe428 100644 --- a/apis/ssm/2014-11-06/docs-2.json +++ b/apis/ssm/2014-11-06/docs-2.json @@ -6,15 +6,15 @@ "AssociateOpsItemRelatedItem": "Associates a related item to a Systems Manager OpsCenter OpsItem. For example, you can associate an Incident Manager incident or analysis with an OpsItem. Incident Manager and OpsCenter are capabilities of Amazon Web Services Systems Manager.
", "CancelCommand": "Attempts to cancel the command specified by the Command ID. There is no guarantee that the command will be terminated and the underlying process stopped.
", "CancelMaintenanceWindowExecution": "Stops a maintenance window execution that is already in progress and cancels any tasks in the window that haven't already starting running. Tasks already in progress will continue to completion.
", - "CreateActivation": "Generates an activation code and activation ID you can use to register your on-premises servers, edge devices, or virtual machine (VM) with Amazon Web Services Systems Manager. Registering these machines with Systems Manager makes it possible to manage them using Systems Manager capabilities. You use the activation code and ID when installing SSM Agent on machines in your hybrid environment. For more information about requirements for managing on-premises machines using Systems Manager, see Setting up Amazon Web Services Systems Manager for hybrid and multicloud environments in the Amazon Web Services Systems Manager User Guide.
Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and VMs that are configured for Systems Manager are all called managed nodes.
Generates an activation code and activation ID you can use to register your on-premises servers, edge devices, or virtual machine (VM) with Amazon Web Services Systems Manager. Registering these machines with Systems Manager makes it possible to manage them using Systems Manager capabilities. You use the activation code and ID when installing SSM Agent on machines in your hybrid environment. For more information about requirements for managing on-premises machines using Systems Manager, see Using Amazon Web Services Systems Manager in hybrid and multicloud environments in the Amazon Web Services Systems Manager User Guide.
Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and VMs that are configured for Systems Manager are all called managed nodes.
A State Manager association defines the state that you want to maintain on your managed nodes. For example, an association can specify that anti-virus software must be installed and running on your managed nodes, or that certain ports must be closed. For static targets, the association specifies a schedule for when the configuration is reapplied. For dynamic targets, such as an Amazon Web Services resource group or an Amazon Web Services autoscaling group, State Manager, a capability of Amazon Web Services Systems Manager applies the configuration when new managed nodes are added to the group. The association also specifies actions to take when applying the configuration. For example, an association for anti-virus software might run once a day. If the software isn't installed, then State Manager installs it. If the software is installed, but the service isn't running, then the association might instruct State Manager to start the service.
", "CreateAssociationBatch": "Associates the specified Amazon Web Services Systems Manager document (SSM document) with the specified managed nodes or targets.
When you associate a document with one or more managed nodes using IDs or tags, Amazon Web Services Systems Manager Agent (SSM Agent) running on the managed node processes the document and configures the node as specified.
If you associate a document with a managed node that already has an associated document, the system returns the AssociationAlreadyExists exception.
", - "CreateDocument": "Creates a Amazon Web Services Systems Manager (SSM document). An SSM document defines the actions that Systems Manager performs on your managed nodes. For more information about SSM documents, including information about supported schemas, features, and syntax, see Amazon Web Services Systems Manager Documents in the Amazon Web Services Systems Manager User Guide.
", + "CreateDocument": "Creates a Amazon Web Services Systems Manager (SSM document). An SSM document defines the actions that Systems Manager performs on your managed nodes. For more information about SSM documents, including information about supported schemas, features, and syntax, see Amazon Web Services Systems Manager Documents in the Amazon Web Services Systems Manager User Guide.
", "CreateMaintenanceWindow": "Creates a new maintenance window.
The value you specify for Duration
determines the specific end time for the maintenance window based on the time it begins. No maintenance window tasks are permitted to start after the resulting endtime minus the number of hours you specify for Cutoff
. For example, if the maintenance window starts at 3 PM, the duration is three hours, and the value you specify for Cutoff
is one hour, no maintenance window tasks can start after 5 PM.
Creates a new OpsItem. You must have permission in Identity and Access Management (IAM) to create a new OpsItem. For more information, see Set up OpsCenter in the Amazon Web Services Systems Manager User Guide.
Operations engineers and IT professionals use Amazon Web Services Systems Manager OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their Amazon Web Services resources. For more information, see Amazon Web Services Systems Manager OpsCenter in the Amazon Web Services Systems Manager User Guide.
", "CreateOpsMetadata": "If you create a new application in Application Manager, Amazon Web Services Systems Manager calls this API operation to specify information about the new application, including the application type.
", "CreatePatchBaseline": "Creates a patch baseline.
For information about valid key-value pairs in PatchFilters
for each supported operating system type, see PatchFilter.
A resource data sync helps you view data from multiple sources in a single location. Amazon Web Services Systems Manager offers two types of resource data sync: SyncToDestination
and SyncFromSource
.
You can configure Systems Manager Inventory to use the SyncToDestination
type to synchronize Inventory data from multiple Amazon Web Services Regions to a single Amazon Simple Storage Service (Amazon S3) bucket. For more information, see Configuring resource data sync for Inventory in the Amazon Web Services Systems Manager User Guide.
You can configure Systems Manager Explorer to use the SyncFromSource
type to synchronize operational work items (OpsItems) and operational data (OpsData) from multiple Amazon Web Services Regions to a single Amazon S3 bucket. This type can synchronize OpsItems and OpsData from multiple Amazon Web Services accounts and Amazon Web Services Regions or EntireOrganization
by using Organizations. For more information, see Setting up Systems Manager Explorer to display data from multiple accounts and Regions in the Amazon Web Services Systems Manager User Guide.
A resource data sync is an asynchronous operation that returns immediately. After a successful initial sync is completed, the system continuously syncs data. To check the status of a sync, use the ListResourceDataSync.
By default, data isn't encrypted in Amazon S3. We strongly recommend that you enable encryption in Amazon S3 to ensure secure data storage. We also recommend that you secure access to the Amazon S3 bucket by creating a restrictive bucket policy.
A resource data sync helps you view data from multiple sources in a single location. Amazon Web Services Systems Manager offers two types of resource data sync: SyncToDestination
and SyncFromSource
.
You can configure Systems Manager Inventory to use the SyncToDestination
type to synchronize Inventory data from multiple Amazon Web Services Regions to a single Amazon Simple Storage Service (Amazon S3) bucket. For more information, see Creatinga a resource data sync for Inventory in the Amazon Web Services Systems Manager User Guide.
You can configure Systems Manager Explorer to use the SyncFromSource
type to synchronize operational work items (OpsItems) and operational data (OpsData) from multiple Amazon Web Services Regions to a single Amazon S3 bucket. This type can synchronize OpsItems and OpsData from multiple Amazon Web Services accounts and Amazon Web Services Regions or EntireOrganization
by using Organizations. For more information, see Setting up Systems Manager Explorer to display data from multiple accounts and Regions in the Amazon Web Services Systems Manager User Guide.
A resource data sync is an asynchronous operation that returns immediately. After a successful initial sync is completed, the system continuously syncs data. To check the status of a sync, use the ListResourceDataSync.
By default, data isn't encrypted in Amazon S3. We strongly recommend that you enable encryption in Amazon S3 to ensure secure data storage. We also recommend that you secure access to the Amazon S3 bucket by creating a restrictive bucket policy.
Deletes an activation. You aren't required to delete an activation. If you delete an activation, you can no longer use it to register additional managed nodes. Deleting an activation doesn't de-register managed nodes. You must manually de-register managed nodes.
", "DeleteAssociation": "Disassociates the specified Amazon Web Services Systems Manager document (SSM document) from the specified managed node. If you created the association by using the Targets
parameter, then you must delete the association by using the association ID.
When you disassociate a document from a managed node, it doesn't change the configuration of the node. To change the configuration state of a managed node after you disassociate a document, you must create a new document with the desired configuration and associate it with the node.
", "DeleteDocument": "Deletes the Amazon Web Services Systems Manager document (SSM document) and all managed node associations to the document.
Before you delete the document, we recommend that you use DeleteAssociation to disassociate all managed nodes that are associated with the document.
", @@ -327,7 +327,7 @@ "ApproveAfterDays": { "base": null, "refs": { - "PatchRule$ApproveAfterDays": "The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline. For example, a value of 7
means that patches are approved seven days after they are released.
This parameter is marked as not required, but your request must include a value for either ApproveAfterDays
or ApproveUntilDate
.
Not supported for Debian Server or Ubuntu Server.
" + "PatchRule$ApproveAfterDays": "The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline. For example, a value of 7
means that patches are approved seven days after they are released.
This parameter is marked as Required: No
, but your request must include a value for either ApproveAfterDays
or ApproveUntilDate
.
Not supported for Debian Server or Ubuntu Server.
Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the Windows Server tab in the topic How security patches are selected in the Amazon Web Services Systems Manager User Guide.
The value of a key-value pair that identifies the location of an attachment to a document. The format for Value depends on the type of key you specify.
For the key SourceUrl, the value is an S3 bucket location. For example:
\"Values\": [ \"s3://doc-example-bucket/my-folder\" ]
For the key S3FileUrl, the value is a file in an S3 bucket. For example:
\"Values\": [ \"s3://doc-example-bucket/my-folder/my-file.py\" ]
For the key AttachmentReference, the value is constructed from the name of another SSM document in your account, a version number of that document, and a file attached to that document version that you want to reuse. For example:
\"Values\": [ \"MyOtherDocument/3/my-other-file.py\" ]
However, if the SSM document is shared with you from another account, the full SSM document ARN must be specified instead of the document name only. For example:
\"Values\": [ \"arn:aws:ssm:us-east-2:111122223333:document/OtherAccountDocument/3/their-file.py\" ]
The value of a key-value pair that identifies the location of an attachment to a document. The format for Value depends on the type of key you specify.
For the key SourceUrl, the value is an S3 bucket location. For example:
\"Values\": [ \"s3://amzn-s3-demo-bucket/my-prefix\" ]
For the key S3FileUrl, the value is a file in an S3 bucket. For example:
\"Values\": [ \"s3://amzn-s3-demo-bucket/my-prefix/my-file.py\" ]
For the key AttachmentReference, the value is constructed from the name of another SSM document in your account, a version number of that document, and a file attached to that document version that you want to reuse. For example:
\"Values\": [ \"MyOtherDocument/3/my-other-file.py\" ]
However, if the SSM document is shared with you from another account, the full SSM document ARN must be specified instead of the document name only. For example:
\"Values\": [ \"arn:aws:ssm:us-east-2:111122223333:document/OtherAccountDocument/3/their-file.py\" ]
Use this filter with DescribeAutomationExecutions. Specify either Local or CrossAccount. CrossAccount is an Automation that runs in multiple Amazon Web Services Regions and Amazon Web Services accounts. For more information, see Running Automation workflows in multiple Amazon Web Services Regions and accounts in the Amazon Web Services Systems Manager User Guide.
" + "AutomationExecutionMetadata$AutomationType": "Use this filter with DescribeAutomationExecutions. Specify either Local or CrossAccount. CrossAccount is an Automation that runs in multiple Amazon Web Services Regions and Amazon Web Services accounts. For more information, see Running automations in multiple Amazon Web Services Regions and accounts in the Amazon Web Services Systems Manager User Guide.
" } }, "BaselineDescription": { @@ -992,6 +992,7 @@ "StartChangeRequestExecutionRequest$AutoApprove": "Indicates whether the change request can be approved automatically without the need for manual approvals.
If AutoApprovable
is enabled in a change template, then setting AutoApprove
to true
in StartChangeRequestExecution
creates a change request that bypasses approver review.
Change Calendar restrictions are not bypassed in this scenario. If the state of an associated calendar is CLOSED
, change freeze approvers must still grant permission for this change request to run. If they don't, the change won't be processed until the calendar state is again OPEN
.
The flag which can be used to end automation no matter whether the step succeeds or fails.
", "StepExecution$IsCritical": "The flag which can be used to help decide whether the failure of current step leads to the Automation failure.
", + "TargetLocation$IncludeChildOrganizationUnits": "Indicates whether to include child organizational units (OUs) that are children of the targeted OUs. The default is false
.
If True
, then all fields that are required by the CreateMaintenanceWindow operation are also required for this API request. Optional fields that aren't specified are set to null.
If True
, then all fields that are required by the RegisterTargetWithMaintenanceWindow operation are also required for this API request. Optional fields that aren't specified are set to null.
If True, then all fields that are required by the RegisterTaskWithMaintenanceWindow operation are also required for this API request. Optional fields that aren't specified are set to null.
", @@ -1136,7 +1137,7 @@ "CommandFilterValue": { "base": null, "refs": { - "CommandFilter$value": "The filter value. Valid values for each filter key are as follows:
InvokedAfter: Specify a timestamp to limit your results. For example, specify 2021-07-07T00:00:00Z
to see a list of command executions occurring July 7, 2021, and later.
InvokedBefore: Specify a timestamp to limit your results. For example, specify 2021-07-07T00:00:00Z
to see a list of command executions from before July 7, 2021.
Status: Specify a valid command status to see a list of all command executions with that status. The status choices depend on the API you call.
The status values you can specify for ListCommands
are:
Pending
InProgress
Success
Cancelled
Failed
TimedOut
(this includes both Delivery and Execution time outs)
AccessDenied
DeliveryTimedOut
ExecutionTimedOut
Incomplete
NoInstancesInTag
LimitExceeded
The status values you can specify for ListCommandInvocations
are:
Pending
InProgress
Delayed
Success
Cancelled
Failed
TimedOut
(this includes both Delivery and Execution time outs)
AccessDenied
DeliveryTimedOut
ExecutionTimedOut
Undeliverable
InvalidPlatform
Terminated
DocumentName: Specify name of the Amazon Web Services Systems Manager document (SSM document) for which you want to see command execution results. For example, specify AWS-RunPatchBaseline
to see command executions that used this SSM document to perform security patching operations on managed nodes.
ExecutionStage: Specify one of the following values (ListCommands
operations only):
Executing
: Returns a list of command executions that are currently still running.
Complete
: Returns a list of command executions that have already completed.
The filter value. Valid values for each filter key are as follows:
InvokedAfter: Specify a timestamp to limit your results. For example, specify 2024-07-07T00:00:00Z
to see a list of command executions occurring July 7, 2021, and later.
InvokedBefore: Specify a timestamp to limit your results. For example, specify 2024-07-07T00:00:00Z
to see a list of command executions from before July 7, 2021.
Status: Specify a valid command status to see a list of all command executions with that status. The status choices depend on the API you call.
The status values you can specify for ListCommands
are:
Pending
InProgress
Success
Cancelled
Failed
TimedOut
(this includes both Delivery and Execution time outs)
AccessDenied
DeliveryTimedOut
ExecutionTimedOut
Incomplete
NoInstancesInTag
LimitExceeded
The status values you can specify for ListCommandInvocations
are:
Pending
InProgress
Delayed
Success
Cancelled
Failed
TimedOut
(this includes both Delivery and Execution time outs)
AccessDenied
DeliveryTimedOut
ExecutionTimedOut
Undeliverable
InvalidPlatform
Terminated
DocumentName: Specify name of the Amazon Web Services Systems Manager document (SSM document) for which you want to see command execution results. For example, specify AWS-RunPatchBaseline
to see command executions that used this SSM document to perform security patching operations on managed nodes.
ExecutionStage: Specify one of the following values (ListCommands
operations only):
Executing
: Returns a list of command executions that are currently still running.
Complete
: Returns a list of command executions that have already completed.
The number of targets for which the status is Failed or Execution Timed Out.
" } }, + "ExcludeAccount": { + "base": null, + "refs": { + "ExcludeAccounts$member": null + } + }, + "ExcludeAccounts": { + "base": null, + "refs": { + "TargetLocation$ExcludeAccounts": "Amazon Web Services accounts or organizational units to exclude as expanded targets.
" + } + }, "ExecutionMode": { "base": null, "refs": { @@ -2757,7 +2770,7 @@ "base": null, "refs": { "Activation$ExpirationDate": "The date when this activation can no longer be used to register managed nodes.
", - "CreateActivationRequest$ExpirationDate": "The date by which this activation request should expire, in timestamp format, such as \"2021-07-07T00:00:00\". You can specify a date up to 30 days in advance. If you don't provide an expiration date, the activation code expires in 24 hours.
" + "CreateActivationRequest$ExpirationDate": "The date by which this activation request should expire, in timestamp format, such as \"2024-07-07T00:00:00\". You can specify a date up to 30 days in advance. If you don't provide an expiration date, the activation code expires in 24 hours.
" } }, "ExternalAlarmState": { @@ -3104,10 +3117,10 @@ "base": null, "refs": { "Activation$IamRole": "The Identity and Access Management (IAM) role to assign to the managed node.
", - "CreateActivationRequest$IamRole": "The name of the Identity and Access Management (IAM) role that you want to assign to the managed node. This IAM role must provide AssumeRole permissions for the Amazon Web Services Systems Manager service principal ssm.amazonaws.com
. For more information, see Create an IAM service role for a hybrid and multicloud environment in the Amazon Web Services Systems Manager User Guide.
You can't specify an IAM service-linked role for this parameter. You must create a unique role.
The name of the Identity and Access Management (IAM) role that you want to assign to the managed node. This IAM role must provide AssumeRole permissions for the Amazon Web Services Systems Manager service principal ssm.amazonaws.com
. For more information, see Create the IAM service role required for Systems Manager in a hybrid and multicloud environments in the Amazon Web Services Systems Manager User Guide.
You can't specify an IAM service-linked role for this parameter. You must create a unique role.
The role assigned to an Amazon EC2 instance configured with a Systems Manager Quick Setup host management configuration or the role assigned to an on-premises managed node.
This call doesn't return the IAM role for unmanaged Amazon EC2 instances (instances not configured for Systems Manager). To retrieve the role for an unmanaged instance, use the Amazon EC2 DescribeInstances
operation. For information, see DescribeInstances in the Amazon EC2 API Reference or describe-instances in the Amazon Web Services CLI Command Reference.
The IAM role used in the hybrid activation to register the node with Systems Manager.
", - "UpdateManagedInstanceRoleRequest$IamRole": "The name of the Identity and Access Management (IAM) role that you want to assign to the managed node. This IAM role must provide AssumeRole permissions for the Amazon Web Services Systems Manager service principal ssm.amazonaws.com
. For more information, see Create an IAM service role for a hybrid and multicloud environment in the Amazon Web Services Systems Manager User Guide.
You can't specify an IAM service-linked role for this parameter. You must create a unique role.
The name of the Identity and Access Management (IAM) role that you want to assign to the managed node. This IAM role must provide AssumeRole permissions for the Amazon Web Services Systems Manager service principal ssm.amazonaws.com
. For more information, see Create the IAM service role required for Systems Manager in hybrid and multicloud environments in the Amazon Web Services Systems Manager User Guide.
You can't specify an IAM service-linked role for this parameter. You must create a unique role.
An https URL or an Amazon Simple Storage Service (Amazon S3) path-style URL to a list of patches to be installed. This patch installation list, which you maintain in an S3 bucket in YAML format and specify in the SSM document AWS-RunPatchBaseline
, overrides the patches specified by the default patch baseline.
For more information about the InstallOverrideList
parameter, see About the AWS-RunPatchBaseline SSM document
in the Amazon Web Services Systems Manager User Guide.
An https URL or an Amazon Simple Storage Service (Amazon S3) path-style URL to a list of patches to be installed. This patch installation list, which you maintain in an S3 bucket in YAML format and specify in the SSM document AWS-RunPatchBaseline
, overrides the patches specified by the default patch baseline.
For more information about the InstallOverrideList
parameter, see SSM Command document for patching: AWS-RunPatchBaseline
in the Amazon Web Services Systems Manager User Guide.
Information about the delete operation.
", "refs": { - "DeleteInventoryResult$DeletionSummary": "A summary of the delete operation. For more information about this summary, see Understanding the delete inventory summary in the Amazon Web Services Systems Manager User Guide.
", - "InventoryDeletionStatusItem$DeletionSummary": "Information about the delete operation. For more information about this summary, see Understanding the delete inventory summary in the Amazon Web Services Systems Manager User Guide.
" + "DeleteInventoryResult$DeletionSummary": "A summary of the delete operation. For more information about this summary, see Deleting custom inventory in the Amazon Web Services Systems Manager User Guide.
", + "InventoryDeletionStatusItem$DeletionSummary": "Information about the delete operation. For more information about this summary, see Understanding the delete inventory summary in the Amazon Web Services Systems Manager User Guide.
" } }, "InventoryDeletionSummaryItem": { @@ -3982,7 +3995,7 @@ "InventoryQueryOperatorType": { "base": null, "refs": { - "InventoryFilter$Type": "The type of filter.
The Exists
filter must be used with aggregators. For more information, see Aggregating inventory data in the Amazon Web Services Systems Manager User Guide.
The type of filter.
The Exists
filter must be used with aggregators. For more information, see Aggregating inventory data in the Amazon Web Services Systems Manager User Guide.
Optional filters used to scope down the returned task invocations. The supported filter key is STATUS
with the corresponding values PENDING
, IN_PROGRESS
, SUCCESS
, FAILED
, TIMED_OUT
, CANCELLING
, and CANCELLED
.
Optional filters used to scope down the returned tasks. The supported filter key is STATUS
with the corresponding values PENDING
, IN_PROGRESS
, SUCCESS
, FAILED
, TIMED_OUT
, CANCELLING
, and CANCELLED
.
Each entry in the array is a structure containing:
Key. A string between 1 and 128 characters. Supported keys include ExecutedBefore
and ExecutedAfter
.
Values. An array of strings, each between 1 and 256 characters. Supported values are date/time strings in a valid ISO 8601 date/time format, such as 2021-11-04T05:00:00Z
.
Each entry in the array is a structure containing:
Key. A string between 1 and 128 characters. Supported keys include ExecutedBefore
and ExecutedAfter
.
Values. An array of strings, each between 1 and 256 characters. Supported values are date/time strings in a valid ISO 8601 date/time format, such as 2024-11-04T05:00:00Z
.
Optional filters that can be used to narrow down the scope of the returned window targets. The supported filter keys are Type
, WindowTargetId
, and OwnerInformation
.
Optional filters used to narrow down the scope of the returned tasks. The supported filter keys are WindowTaskId
, TaskArn
, Priority
, and TaskType
.
Optional filters used to narrow down the scope of the returned maintenance windows. Supported filter keys are Name
and Enabled
. For example, Name=MyMaintenanceWindow
and Enabled=True
.
The maximum number of targets this task can be run for, in parallel.
Although this element is listed as \"Required: No\", a value can be omitted only when you are registering or updating a targetless task You must provide a value in all other cases.
For maintenance window tasks without a target specified, you can't supply a value for this option. Instead, the system inserts a placeholder value of 1
. This value doesn't affect the running of your task.
The MaxConcurrency
value specified by the user when the operation started, indicating the maximum number of resources that the runbook operation can run on at the same time.
(Optional) The maximum number of managed nodes that are allowed to run the command at the same time. You can specify a number such as 10 or a percentage such as 10%. The default value is 50
. For more information about how to use MaxConcurrency
, see Using concurrency controls in the Amazon Web Services Systems Manager User Guide.
The maximum number of targets allowed to run this task in parallel. You can specify a number, such as 10, or a percentage, such as 10%. The default value is 10
.
The maximum number of targets allowed to run this task in parallel. You can specify a number, such as 10, or a percentage, such as 10%. The default value is 10
.
If both this parameter and the TargetLocation:TargetsMaxConcurrency
are supplied, TargetLocation:TargetsMaxConcurrency
takes precedence.
The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.
", + "TargetLocation$TargetsMaxConcurrency": "The maximum number of targets allowed to run this task in parallel. This TargetsMaxConcurrency
takes precedence over the StartAutomationExecution:MaxConcurrency
parameter if both are supplied.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency
associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency
.
The new MaxConcurrency
value you want to specify. MaxConcurrency
is the number of targets that are allowed to run this task, in parallel.
Although this element is listed as \"Required: No\", a value can be omitted only when you are registering or updating a targetless task You must provide a value in all other cases.
For maintenance window tasks without a target specified, you can't supply a value for this option. Instead, the system inserts a placeholder value of 1
. This value doesn't affect the running of your task.
The updated MaxConcurrency
value.
The maximum number of errors allowed before this task stops being scheduled.
Although this element is listed as \"Required: No\", a value can be omitted only when you are registering or updating a targetless task You must provide a value in all other cases.
For maintenance window tasks without a target specified, you can't supply a value for this option. Instead, the system inserts a placeholder value of 1
. This value doesn't affect the running of your task.
The MaxErrors
value specified by the user when the execution started, indicating the maximum number of errors that can occur during the operation before the updates are stopped or rolled back.
The maximum number of errors allowed without the command failing. When the command fails one more time beyond the value of MaxErrors
, the systems stops sending the command to additional targets. You can specify a number like 10 or a percentage like 10%. The default value is 0
. For more information about how to use MaxErrors
, see Using error controls in the Amazon Web Services Systems Manager User Guide.
The number of errors that are allowed before the system stops running the automation on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops running the automation when the fourth error is received. If you specify 0, then the system stops running the automation on additional targets after the first error result is returned. If you run an automation on 50 resources and set max-errors to 10%, then the system stops running the automation on additional targets when the sixth error is received.
Executions that are already running an automation when max-errors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set max-concurrency to 1 so the executions proceed one at a time.
", + "StartAutomationExecutionRequest$MaxErrors": "The number of errors that are allowed before the system stops running the automation on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops running the automation when the fourth error is received. If you specify 0, then the system stops running the automation on additional targets after the first error result is returned. If you run an automation on 50 resources and set max-errors to 10%, then the system stops running the automation on additional targets when the sixth error is received.
Executions that are already running an automation when max-errors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set max-concurrency to 1 so the executions proceed one at a time.
If this parameter and the TargetLocation:TargetsMaxErrors
parameter are both supplied, TargetLocation:TargetsMaxErrors
takes precedence.
The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.
", + "TargetLocation$TargetsMaxErrors": "The maximum number of errors that are allowed before the system stops running the automation on additional targets. This TargetsMaxErrors
parameter takes precedence over the StartAutomationExecution:MaxErrors
parameter if both are supplied.
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError
to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors
is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency
to 1 so that executions proceed one at a time.
The new MaxErrors
value to specify. MaxErrors
is the maximum number of errors that are allowed before the task stops being scheduled.
Although this element is listed as \"Required: No\", a value can be omitted only when you are registering or updating a targetless task You must provide a value in all other cases.
For maintenance window tasks without a target specified, you can't supply a value for this option. Instead, the system inserts a placeholder value of 1
. This value doesn't affect the running of your task.
The updated MaxErrors
value.
The OpsItem status. Status can be Open
, In Progress
, or Resolved
. For more information, see Editing OpsItem details in the Amazon Web Services Systems Manager User Guide.
The OpsItem status. Status can be Open
, In Progress
, or Resolved
.
The OpsItem status. Status can be Open
, In Progress
, or Resolved
. For more information, see Editing OpsItem details in the Amazon Web Services Systems Manager User Guide.
The OpsItem status. For more information, see Editing OpsItem details in the Amazon Web Services Systems Manager User Guide.
", + "OpsItemSummary$Status": "The OpsItem status.
", + "UpdateOpsItemRequest$Status": "The OpsItem status. For more information, see Editing OpsItem details in the Amazon Web Services Systems Manager User Guide.
" } }, "OpsItemSummaries": { @@ -5845,7 +5860,7 @@ "refs": { "DeleteParameterRequest$Name": "The name of the parameter to delete.
You can't enter the Amazon Resource Name (ARN) for a parameter, only the parameter name itself.
The name or Amazon Resource Name (ARN) of the parameter for which you want to review history. For parameters shared with you from another account, you must use the full ARN.
", - "GetParameterRequest$Name": "The name or Amazon Resource Name (ARN) of the parameter that you want to query. For parameters shared with you from another account, you must use the full ARN.
To query by parameter label, use \"Name\": \"name:label\"
. To query by parameter version, use \"Name\": \"name:version\"
.
For more information about shared parameters, see Working with shared parameters in the Amazon Web Services Systems Manager User Guide.
", + "GetParameterRequest$Name": "The name or Amazon Resource Name (ARN) of the parameter that you want to query. For parameters shared with you from another account, you must use the full ARN.
To query by parameter label, use \"Name\": \"name:label\"
. To query by parameter version, use \"Name\": \"name:version\"
.
For more information about shared parameters, see Working with shared parameters in the Amazon Web Services Systems Manager User Guide.
", "GetParametersByPathRequest$Path": "The hierarchy for the parameter. Hierarchies start with a forward slash (/). The hierarchy is the parameter name except the last part of the parameter. For the API call to succeed, the last part of the parameter name can't be in the path. A parameter name hierarchy can have a maximum of 15 levels. Here is an example of a hierarchy: /Finance/Prod/IAD/WinServ2016/license33
The parameter name on which you want to attach one or more labels.
You can't enter the Amazon Resource Name (ARN) for a parameter, only the parameter name itself.
The name of the parameter.
", @@ -6258,7 +6273,7 @@ "PatchComplianceDataState": { "base": null, "refs": { - "PatchComplianceData$State": "The state of the patch on the managed node, such as INSTALLED or FAILED.
For descriptions of each patch state, see About patch compliance in the Amazon Web Services Systems Manager User Guide.
" + "PatchComplianceData$State": "The state of the patch on the managed node, such as INSTALLED or FAILED.
For descriptions of each patch state, see About patch compliance in the Amazon Web Services Systems Manager User Guide.
" } }, "PatchComplianceLevel": { @@ -6402,14 +6417,14 @@ "PatchIdList": { "base": null, "refs": { - "BaselineOverride$ApprovedPatches": "A list of explicitly approved patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.
", - "BaselineOverride$RejectedPatches": "A list of explicitly rejected patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.
", - "CreatePatchBaselineRequest$ApprovedPatches": "A list of explicitly approved patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.
", - "CreatePatchBaselineRequest$RejectedPatches": "A list of explicitly rejected patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.
", + "BaselineOverride$ApprovedPatches": "A list of explicitly approved patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.
", + "BaselineOverride$RejectedPatches": "A list of explicitly rejected patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.
", + "CreatePatchBaselineRequest$ApprovedPatches": "A list of explicitly approved patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.
", + "CreatePatchBaselineRequest$RejectedPatches": "A list of explicitly rejected patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.
", "GetPatchBaselineResult$ApprovedPatches": "A list of explicitly approved patches for the baseline.
", "GetPatchBaselineResult$RejectedPatches": "A list of explicitly rejected patches for the baseline.
", - "UpdatePatchBaselineRequest$ApprovedPatches": "A list of explicitly approved patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.
", - "UpdatePatchBaselineRequest$RejectedPatches": "A list of explicitly rejected patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.
", + "UpdatePatchBaselineRequest$ApprovedPatches": "A list of explicitly approved patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.
", + "UpdatePatchBaselineRequest$RejectedPatches": "A list of explicitly rejected patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.
", "UpdatePatchBaselineResult$ApprovedPatches": "A list of explicitly approved patches for the baseline.
", "UpdatePatchBaselineResult$RejectedPatches": "A list of explicitly rejected patches for the baseline.
" } @@ -6509,7 +6524,7 @@ "base": null, "refs": { "DescribeAvailablePatchesRequest$Filters": "Each element in the array is a structure containing a key-value pair.
Windows Server
Supported keys for Windows Server managed node patches include the following:
PATCH_SET
Sample values: OS
| APPLICATION
PRODUCT
Sample values: WindowsServer2012
| Office 2010
| MicrosoftDefenderAntivirus
PRODUCT_FAMILY
Sample values: Windows
| Office
MSRC_SEVERITY
Sample values: ServicePacks
| Important
| Moderate
CLASSIFICATION
Sample values: ServicePacks
| SecurityUpdates
| DefinitionUpdates
PATCH_ID
Sample values: KB123456
| KB4516046
Linux
When specifying filters for Linux patches, you must specify a key-pair for PRODUCT
. For example, using the Command Line Interface (CLI), the following command fails:
aws ssm describe-available-patches --filters Key=CVE_ID,Values=CVE-2018-3615
However, the following command succeeds:
aws ssm describe-available-patches --filters Key=PRODUCT,Values=AmazonLinux2018.03 Key=CVE_ID,Values=CVE-2018-3615
Supported keys for Linux managed node patches include the following:
PRODUCT
Sample values: AmazonLinux2018.03
| AmazonLinux2.0
NAME
Sample values: kernel-headers
| samba-python
| php
SEVERITY
Sample values: Critical
| Important
| Medium
| Low
EPOCH
Sample values: 0
| 1
VERSION
Sample values: 78.6.1
| 4.10.16
RELEASE
Sample values: 9.56.amzn1
| 1.amzn2
ARCH
Sample values: i686
| x86_64
REPOSITORY
Sample values: Core
| Updates
ADVISORY_ID
Sample values: ALAS-2018-1058
| ALAS2-2021-1594
CVE_ID
Sample values: CVE-2018-3615
| CVE-2020-1472
BUGZILLA_ID
Sample values: 1463241
Each element in the array is a structure containing a key-value pair.
Supported keys for DescribeInstancePatches
include the following:
Classification
Sample values: Security
| SecurityUpdates
KBId
Sample values: KB4480056
| java-1.7.0-openjdk.x86_64
Severity
Sample values: Important
| Medium
| Low
State
Sample values: Installed
| InstalledOther
| InstalledPendingReboot
For lists of all State
values, see Understanding patch compliance state values in the Amazon Web Services Systems Manager User Guide.
Each element in the array is a structure containing a key-value pair.
Supported keys for DescribeInstancePatches
include the following:
Classification
Sample values: Security
| SecurityUpdates
KBId
Sample values: KB4480056
| java-1.7.0-openjdk.x86_64
Severity
Sample values: Important
| Medium
| Low
State
Sample values: Installed
| InstalledOther
| InstalledPendingReboot
For lists of all State
values, see Patch compliance state values in the Amazon Web Services Systems Manager User Guide.
Filters used to limit the range of results. For example, you can limit maintenance window executions to only those scheduled before or after a certain date and time.
", "DescribePatchBaselinesRequest$Filters": "Each element in the array is a structure containing a key-value pair.
Supported keys for DescribePatchBaselines
include the following:
NAME_PREFIX
Sample values: AWS-
| My-
OWNER
Sample values: AWS
| Self
OPERATING_SYSTEM
Sample values: AMAZON_LINUX
| SUSE
| WINDOWS
Each element in the array is a structure containing a key-value pair.
Supported keys for DescribePatchGroups
include the following:
NAME_PREFIX
Sample values: AWS-
| My-
.
OPERATING_SYSTEM
Sample values: AMAZON_LINUX
| SUSE
| WINDOWS
The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically.
Enter dates in the format YYYY-MM-DD
. For example, 2021-12-31
.
This parameter is marked as not required, but your request must include a value for either ApproveUntilDate
or ApproveAfterDays
.
Not supported for Debian Server or Ubuntu Server.
" + "PatchRule$ApproveUntilDate": "The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically.
Enter dates in the format YYYY-MM-DD
. For example, 2024-12-31
.
This parameter is marked as Required: No
, but your request must include a value for either ApproveUntilDate
or ApproveAfterDays
.
Not supported for Debian Server or Ubuntu Server.
Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the Windows Server tab in the topic How security patches are selected in the Amazon Web Services Systems Manager User Guide.
The S3 bucket where the responses to the command executions should be stored. This was requested when issuing the command.
", - "CommandPlugin$OutputS3BucketName": "The S3 bucket where the responses to the command executions should be stored. This was requested when issuing the command. For example, in the following response:
doc-example-bucket/ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix/i-02573cafcfEXAMPLE/awsrunShellScript
doc-example-bucket
is the name of the S3 bucket;
ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix
is the name of the S3 prefix;
i-02573cafcfEXAMPLE
is the managed node ID;
awsrunShellScript
is the name of the plugin.
The S3 bucket where the responses to the command executions should be stored. This was requested when issuing the command. For example, in the following response:
amzn-s3-demo-bucket/my-prefix/i-02573cafcfEXAMPLE/awsrunShellScript
amzn-s3-demo-bucket
is the name of the S3 bucket;
my-prefix
is the name of the S3 prefix;
i-02573cafcfEXAMPLE
is the managed node ID;
awsrunShellScript
is the name of the plugin.
The name of an S3 bucket where execution logs are stored.
", "MaintenanceWindowRunCommandParameters$OutputS3BucketName": "The name of the Amazon Simple Storage Service (Amazon S3) bucket.
", "S3OutputLocation$OutputS3BucketName": "The name of the S3 bucket.
", @@ -7358,7 +7373,7 @@ "base": null, "refs": { "Command$OutputS3KeyPrefix": "The S3 directory path inside the bucket where the responses to the command executions should be stored. This was requested when issuing the command.
", - "CommandPlugin$OutputS3KeyPrefix": "The S3 directory path inside the bucket where the responses to the command executions should be stored. This was requested when issuing the command. For example, in the following response:
doc-example-bucket/ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix/i-02573cafcfEXAMPLE/awsrunShellScript
doc-example-bucket
is the name of the S3 bucket;
ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix
is the name of the S3 prefix;
i-02573cafcfEXAMPLE
is the managed node ID;
awsrunShellScript
is the name of the plugin.
The S3 directory path inside the bucket where the responses to the command executions should be stored. This was requested when issuing the command. For example, in the following response:
amzn-s3-demo-bucket/my-prefix/i-02573cafcfEXAMPLE/awsrunShellScript
amzn-s3-demo-bucket
is the name of the S3 bucket;
my-prefix
is the name of the S3 prefix;
i-02573cafcfEXAMPLE
is the managed node ID;
awsrunShellScript
is the name of the plugin.
(Optional) The S3 bucket subfolder.
", "MaintenanceWindowRunCommandParameters$OutputS3KeyPrefix": "The S3 bucket subfolder.
", "S3OutputLocation$OutputS3KeyPrefix": "The S3 bucket subfolder.
", @@ -7447,13 +7462,13 @@ "Command$ServiceRole": "The Identity and Access Management (IAM) service role that Run Command, a capability of Amazon Web Services Systems Manager, uses to act on your behalf when sending notifications about command status changes.
", "CommandInvocation$ServiceRole": "The Identity and Access Management (IAM) service role that Run Command, a capability of Amazon Web Services Systems Manager, uses to act on your behalf when sending notifications about command status changes on a per managed node basis.
", "GetMaintenanceWindowExecutionTaskResult$ServiceRole": "The role that was assumed when running the task.
", - "GetMaintenanceWindowTaskResult$ServiceRoleArn": "The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow
.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up maintenance windows in the in the Amazon Web Services Systems Manager User Guide.
", - "MaintenanceWindowRunCommandParameters$ServiceRoleArn": "The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow
.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up maintenance windows in the in the Amazon Web Services Systems Manager User Guide.
", - "MaintenanceWindowTask$ServiceRoleArn": "The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow
.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up maintenance windows in the in the Amazon Web Services Systems Manager User Guide.
", - "RegisterTaskWithMaintenanceWindowRequest$ServiceRoleArn": "The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow
.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up maintenance windows in the in the Amazon Web Services Systems Manager User Guide.
", + "GetMaintenanceWindowTaskResult$ServiceRoleArn": "The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow
.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up Maintenance Windows in the in the Amazon Web Services Systems Manager User Guide.
", + "MaintenanceWindowRunCommandParameters$ServiceRoleArn": "The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow
.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up Maintenance Windows in the in the Amazon Web Services Systems Manager User Guide.
", + "MaintenanceWindowTask$ServiceRoleArn": "The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow
.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up Maintenance Windows in the in the Amazon Web Services Systems Manager User Guide.
", + "RegisterTaskWithMaintenanceWindowRequest$ServiceRoleArn": "The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow
.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up Maintenance Windows in the in the Amazon Web Services Systems Manager User Guide.
", "SendCommandRequest$ServiceRoleArn": "The ARN of the Identity and Access Management (IAM) service role to use to publish Amazon Simple Notification Service (Amazon SNS) notifications for Run Command commands.
This role must provide the sns:Publish
permission for your notification topic. For information about creating and using this service role, see Monitoring Systems Manager status changes using Amazon SNS notifications in the Amazon Web Services Systems Manager User Guide.
The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow
.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up maintenance windows in the in the Amazon Web Services Systems Manager User Guide.
", - "UpdateMaintenanceWindowTaskResult$ServiceRoleArn": "The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow
.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up maintenance windows in the in the Amazon Web Services Systems Manager User Guide.
" + "UpdateMaintenanceWindowTaskRequest$ServiceRoleArn": "The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow
.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up Maintenance Windows in the in the Amazon Web Services Systems Manager User Guide.
", + "UpdateMaintenanceWindowTaskResult$ServiceRoleArn": "The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow
.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up Maintenance Windows in the in the Amazon Web Services Systems Manager User Guide.
" } }, "ServiceSetting": { @@ -7517,7 +7532,7 @@ "SessionFilterValue": { "base": null, "refs": { - "SessionFilter$value": "The filter value. Valid values for each filter key are as follows:
InvokedAfter: Specify a timestamp to limit your results. For example, specify 2018-08-29T00:00:00Z to see sessions that started August 29, 2018, and later.
InvokedBefore: Specify a timestamp to limit your results. For example, specify 2018-08-29T00:00:00Z to see sessions that started before August 29, 2018.
Target: Specify a managed node to which session connections have been made.
Owner: Specify an Amazon Web Services user to see a list of sessions started by that user.
Status: Specify a valid session status to see a list of all sessions with that status. Status values you can specify include:
Connected
Connecting
Disconnected
Terminated
Terminating
Failed
SessionId: Specify a session ID to return details about the session.
The filter value. Valid values for each filter key are as follows:
InvokedAfter: Specify a timestamp to limit your results. For example, specify 2024-08-29T00:00:00Z to see sessions that started August 29, 2024, and later.
InvokedBefore: Specify a timestamp to limit your results. For example, specify 2024-08-29T00:00:00Z to see sessions that started before August 29, 2024.
Target: Specify a managed node to which session connections have been made.
Owner: Specify an Amazon Web Services user to see a list of sessions started by that user.
Status: Specify a valid session status to see a list of all sessions with that status. Status values you can specify include:
Connected
Connecting
Disconnected
Terminated
Terminating
Failed
SessionId: Specify a session ID to return details about the session.
The name of the operating system platform running on your managed node.
", "InstanceInformation$PlatformVersion": "The version of the OS platform running on your managed node.
", - "InstanceInformation$Name": "The name assigned to an on-premises server, edge device, or virtual machine (VM) when it is activated as a Systems Manager managed node. The name is specified as the DefaultInstanceName
property using the CreateActivation command. It is applied to the managed node by specifying the Activation Code and Activation ID when you install SSM Agent on the node, as explained in Install SSM Agent for a hybrid and multicloud environment (Linux) and Install SSM Agent for a hybrid and multicloud environment (Windows). To retrieve the Name
tag of an EC2 instance, use the Amazon EC2 DescribeInstances
operation. For information, see DescribeInstances in the Amazon EC2 API Reference or describe-instances in the Amazon Web Services CLI Command Reference.
The name assigned to an on-premises server, edge device, or virtual machine (VM) when it is activated as a Systems Manager managed node. The name is specified as the DefaultInstanceName
property using the CreateActivation command. It is applied to the managed node by specifying the Activation Code and Activation ID when you install SSM Agent on the node, as explained in How to install SSM Agent on hybrid Linux nodes and How to install SSM Agent on hybrid Windows Server nodes. To retrieve the Name
tag of an EC2 instance, use the Amazon EC2 DescribeInstances
operation. For information, see DescribeInstances in the Amazon EC2 API Reference or describe-instances in the Amazon Web Services CLI Command Reference.
The type of managed node.
", "InternalServerError$Message": null, "InvalidActivation$Message": null, @@ -8123,10 +8138,18 @@ "CreateAssociationBatchRequestEntry$TargetLocations": "Use this action to create an association in multiple Regions and multiple accounts.
", "CreateAssociationRequest$TargetLocations": "A location is a combination of Amazon Web Services Regions and Amazon Web Services accounts where you want to run the association. Use this action to create an association in multiple Regions and multiple accounts.
", "Runbook$TargetLocations": "Information about the Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Runbook operation.
", - "StartAutomationExecutionRequest$TargetLocations": "A location is a combination of Amazon Web Services Regions and/or Amazon Web Services accounts where you want to run the automation. Use this operation to start an automation in multiple Amazon Web Services Regions and multiple Amazon Web Services accounts. For more information, see Running Automation workflows in multiple Amazon Web Services Regions and Amazon Web Services accounts in the Amazon Web Services Systems Manager User Guide.
", + "StartAutomationExecutionRequest$TargetLocations": "A location is a combination of Amazon Web Services Regions and/or Amazon Web Services accounts where you want to run the automation. Use this operation to start an automation in multiple Amazon Web Services Regions and multiple Amazon Web Services accounts. For more information, see Running automations in multiple Amazon Web Services Regions and accounts in the Amazon Web Services Systems Manager User Guide.
", "UpdateAssociationRequest$TargetLocations": "A location is a combination of Amazon Web Services Regions and Amazon Web Services accounts where you want to run the association. Use this action to update an association in multiple Regions and multiple accounts.
" } }, + "TargetLocationsURL": { + "base": null, + "refs": { + "AutomationExecution$TargetLocationsURL": "A publicly accessible URL for a file that contains the TargetLocations
body. Currently, only files in presigned Amazon S3 buckets are supported
A publicly accessible URL for a file that contains the TargetLocations
body. Currently, only files in presigned Amazon S3 buckets are supported
Specify a publicly accessible URL for a file that contains the TargetLocations
body. Currently, only files in presigned Amazon S3 buckets are supported.
The specified target managed node for the session isn't fully configured for use with Session Manager. For more information, see Getting started with Session Manager in the Amazon Web Services Systems Manager User Guide. This error is also returned if you attempt to start a session on a managed node that is located in a different account or Region
", + "base": "The specified target managed node for the session isn't fully configured for use with Session Manager. For more information, see Setting up Session Manager in the Amazon Web Services Systems Manager User Guide. This error is also returned if you attempt to start a session on a managed node that is located in a different account or Region
", "refs": { } }, @@ -8208,7 +8231,7 @@ "AutomationExecutionMetadata$Targets": "The targets defined by the user when starting the automation.
", "Command$Targets": "An array of search criteria that targets managed nodes using a Key,Value combination that you specify. Targets is required if you don't provide one or more managed node IDs in the call.
", "CreateAssociationBatchRequestEntry$Targets": "The managed nodes targeted by the request.
", - "CreateAssociationRequest$Targets": "The targets for the association. You can target managed nodes by using tags, Amazon Web Services resource groups, all managed nodes in an Amazon Web Services account, or individual managed node IDs. You can target all managed nodes in an Amazon Web Services account by specifying the InstanceIds
key with a value of *
. For more information about choosing targets for an association, see About targets and rate controls in State Manager associations in the Amazon Web Services Systems Manager User Guide.
The targets for the association. You can target managed nodes by using tags, Amazon Web Services resource groups, all managed nodes in an Amazon Web Services account, or individual managed node IDs. You can target all managed nodes in an Amazon Web Services account by specifying the InstanceIds
key with a value of *
. For more information about choosing targets for an association, see Understanding targets and rate controls in State Manager associations in the Amazon Web Services Systems Manager User Guide.
The managed node ID or key-value pair to retrieve information about.
", "DescribeMaintenanceWindowsForTargetRequest$Targets": "The managed node ID or key-value pair to retrieve information about.
", "GetMaintenanceWindowTaskResult$Targets": "The targets where the task should run.
", @@ -8218,8 +8241,9 @@ "RegisterTaskWithMaintenanceWindowRequest$Targets": "The targets (either managed nodes or maintenance window targets).
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide.
Specify managed nodes using the following format:
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>
Specify maintenance window targets using the following format:
Key=WindowTargetIds,Values=<window-target-id-1>,<window-target-id-2>
A key-value mapping to target resources that the runbook operation performs tasks on. Required if you specify TargetParameterName
.
An array of search criteria that targets managed nodes using a Key,Value
combination that you specify. Specifying targets is most useful when you want to send a command to a large number of managed nodes at once. Using Targets
, which accepts tag key-value pairs to identify managed nodes, you can send a command to tens, hundreds, or thousands of nodes at once.
To send a command to a smaller number of managed nodes, you can use the InstanceIds
option instead.
For more information about how to use targets, see Run commands at scale in the Amazon Web Services Systems Manager User Guide.
", - "StartAutomationExecutionRequest$Targets": "A key-value mapping to target resources. Required if you specify TargetParameterName.
", + "StartAutomationExecutionRequest$Targets": "A key-value mapping to target resources. Required if you specify TargetParameterName.
If both this parameter and the TargetLocation:Targets
parameter are supplied, TargetLocation:Targets
takes precedence.
The targets for the step execution.
", + "TargetLocation$Targets": "A list of key-value mappings to target resources. If you specify values for this data type, you must also specify a value for TargetParameterName
.
This Targets
parameter takes precedence over the StartAutomationExecution:Targets
parameter if both are supplied.
The targets of the association.
", "UpdateMaintenanceWindowTargetRequest$Targets": "The targets to add or replace.
", "UpdateMaintenanceWindowTargetResult$Targets": "The updated targets.
", diff --git a/gems/aws-sdk-codebuild/CHANGELOG.md b/gems/aws-sdk-codebuild/CHANGELOG.md index f23f73bd443..ecee30ce966 100644 --- a/gems/aws-sdk-codebuild/CHANGELOG.md +++ b/gems/aws-sdk-codebuild/CHANGELOG.md @@ -1,6 +1,11 @@ Unreleased Changes ------------------ +1.129.0 (2024-09-17) +------------------ + +* Feature - GitLab Enhancements - Add support for Self-Hosted GitLab runners in CodeBuild. Add group webhooks + 1.128.0 (2024-09-11) ------------------ diff --git a/gems/aws-sdk-codebuild/VERSION b/gems/aws-sdk-codebuild/VERSION index a7063724533..365ef018e15 100644 --- a/gems/aws-sdk-codebuild/VERSION +++ b/gems/aws-sdk-codebuild/VERSION @@ -1 +1 @@ -1.128.0 +1.129.0 diff --git a/gems/aws-sdk-codebuild/lib/aws-sdk-codebuild.rb b/gems/aws-sdk-codebuild/lib/aws-sdk-codebuild.rb index d4477092236..5882db661e0 100644 --- a/gems/aws-sdk-codebuild/lib/aws-sdk-codebuild.rb +++ b/gems/aws-sdk-codebuild/lib/aws-sdk-codebuild.rb @@ -52,6 +52,6 @@ # @!group service module Aws::CodeBuild - GEM_VERSION = '1.128.0' + GEM_VERSION = '1.129.0' end diff --git a/gems/aws-sdk-codebuild/lib/aws-sdk-codebuild/client.rb b/gems/aws-sdk-codebuild/lib/aws-sdk-codebuild/client.rb index ec994e95bd4..af3ebfe8636 100644 --- a/gems/aws-sdk-codebuild/lib/aws-sdk-codebuild/client.rb +++ b/gems/aws-sdk-codebuild/lib/aws-sdk-codebuild/client.rb @@ -974,7 +974,7 @@ def batch_get_fleets(params = {}, options = {}) # resp.projects[0].webhook.last_modified_secret #=> Time # resp.projects[0].webhook.scope_configuration.name #=> String # resp.projects[0].webhook.scope_configuration.domain #=> String - # resp.projects[0].webhook.scope_configuration.scope #=> String, one of "GITHUB_ORGANIZATION", "GITHUB_GLOBAL" + # resp.projects[0].webhook.scope_configuration.scope #=> String, one of "GITHUB_ORGANIZATION", "GITHUB_GLOBAL", "GITLAB_GROUP" # resp.projects[0].vpc_config.vpc_id #=> String # resp.projects[0].vpc_config.subnets #=> Array # resp.projects[0].vpc_config.subnets[0] #=> String @@ -1741,7 +1741,7 @@ def create_fleet(params = {}, options = {}) # resp.project.webhook.last_modified_secret #=> Time # resp.project.webhook.scope_configuration.name #=> String # resp.project.webhook.scope_configuration.domain #=> String - # resp.project.webhook.scope_configuration.scope #=> String, one of "GITHUB_ORGANIZATION", "GITHUB_GLOBAL" + # resp.project.webhook.scope_configuration.scope #=> String, one of "GITHUB_ORGANIZATION", "GITHUB_GLOBAL", "GITLAB_GROUP" # resp.project.vpc_config.vpc_id #=> String # resp.project.vpc_config.subnets #=> Array # resp.project.vpc_config.subnets[0] #=> String @@ -1943,7 +1943,7 @@ def create_report_group(params = {}, options = {}) # scope_configuration: { # name: "String", # required # domain: "String", - # scope: "GITHUB_ORGANIZATION", # required, accepts GITHUB_ORGANIZATION, GITHUB_GLOBAL + # scope: "GITHUB_ORGANIZATION", # required, accepts GITHUB_ORGANIZATION, GITHUB_GLOBAL, GITLAB_GROUP # }, # }) # @@ -1963,7 +1963,7 @@ def create_report_group(params = {}, options = {}) # resp.webhook.last_modified_secret #=> Time # resp.webhook.scope_configuration.name #=> String # resp.webhook.scope_configuration.domain #=> String - # resp.webhook.scope_configuration.scope #=> String, one of "GITHUB_ORGANIZATION", "GITHUB_GLOBAL" + # resp.webhook.scope_configuration.scope #=> String, one of "GITHUB_ORGANIZATION", "GITHUB_GLOBAL", "GITLAB_GROUP" # # @see http://docs.aws.amazon.com/goto/WebAPI/codebuild-2016-10-06/CreateWebhook AWS API Documentation # @@ -5565,7 +5565,7 @@ def update_fleet(params = {}, options = {}) # resp.project.webhook.last_modified_secret #=> Time # resp.project.webhook.scope_configuration.name #=> String # resp.project.webhook.scope_configuration.domain #=> String - # resp.project.webhook.scope_configuration.scope #=> String, one of "GITHUB_ORGANIZATION", "GITHUB_GLOBAL" + # resp.project.webhook.scope_configuration.scope #=> String, one of "GITHUB_ORGANIZATION", "GITHUB_GLOBAL", "GITLAB_GROUP" # resp.project.vpc_config.vpc_id #=> String # resp.project.vpc_config.subnets #=> Array # resp.project.vpc_config.subnets[0] #=> String @@ -5837,7 +5837,7 @@ def update_report_group(params = {}, options = {}) # resp.webhook.last_modified_secret #=> Time # resp.webhook.scope_configuration.name #=> String # resp.webhook.scope_configuration.domain #=> String - # resp.webhook.scope_configuration.scope #=> String, one of "GITHUB_ORGANIZATION", "GITHUB_GLOBAL" + # resp.webhook.scope_configuration.scope #=> String, one of "GITHUB_ORGANIZATION", "GITHUB_GLOBAL", "GITLAB_GROUP" # # @see http://docs.aws.amazon.com/goto/WebAPI/codebuild-2016-10-06/UpdateWebhook AWS API Documentation # @@ -5866,7 +5866,7 @@ def build_request(operation_name, params = {}) tracer: tracer ) context[:gem_name] = 'aws-sdk-codebuild' - context[:gem_version] = '1.128.0' + context[:gem_version] = '1.129.0' Seahorse::Client::Request.new(handlers, context) end diff --git a/gems/aws-sdk-codebuild/lib/aws-sdk-codebuild/types.rb b/gems/aws-sdk-codebuild/lib/aws-sdk-codebuild/types.rb index 9d1007546e3..3f1efbaafd6 100644 --- a/gems/aws-sdk-codebuild/lib/aws-sdk-codebuild/types.rb +++ b/gems/aws-sdk-codebuild/lib/aws-sdk-codebuild/types.rb @@ -5486,19 +5486,19 @@ class ScalingConfigurationOutput < Struct.new( # Contains configuration information about the scope for a webhook. # # @!attribute [rw] name - # The name of either the enterprise or organization that will send - # webhook events to CodeBuild, depending on if the webhook is a global - # or organization webhook respectively. + # The name of either the group, enterprise, or organization that will + # send webhook events to CodeBuild, depending on the type of webhook. # @return [String] # # @!attribute [rw] domain - # The domain of the GitHub Enterprise organization. Note that this - # parameter is only required if your project's source type is - # GITHUB\_ENTERPRISE + # The domain of the GitHub Enterprise organization or the GitLab Self + # Managed group. Note that this parameter is only required if your + # project's source type is GITHUB\_ENTERPRISE or + # GITLAB\_SELF\_MANAGED. # @return [String] # # @!attribute [rw] scope - # The type of scope for a GitHub webhook. + # The type of scope for a GitHub or GitLab webhook. # @return [String] # # @see http://docs.aws.amazon.com/goto/WebAPI/codebuild-2016-10-06/ScopeConfiguration AWS API Documentation diff --git a/gems/aws-sdk-codebuild/sig/client.rbs b/gems/aws-sdk-codebuild/sig/client.rbs index 92115c46250..ab63dcb02c2 100644 --- a/gems/aws-sdk-codebuild/sig/client.rbs +++ b/gems/aws-sdk-codebuild/sig/client.rbs @@ -401,7 +401,7 @@ module Aws ?scope_configuration: { name: ::String, domain: ::String?, - scope: ("GITHUB_ORGANIZATION" | "GITHUB_GLOBAL") + scope: ("GITHUB_ORGANIZATION" | "GITHUB_GLOBAL" | "GITLAB_GROUP") } ) -> _CreateWebhookResponseSuccess | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _CreateWebhookResponseSuccess diff --git a/gems/aws-sdk-codebuild/sig/types.rbs b/gems/aws-sdk-codebuild/sig/types.rbs index 59eea03a451..acde93bf268 100644 --- a/gems/aws-sdk-codebuild/sig/types.rbs +++ b/gems/aws-sdk-codebuild/sig/types.rbs @@ -1014,7 +1014,7 @@ module Aws::CodeBuild class ScopeConfiguration attr_accessor name: ::String attr_accessor domain: ::String - attr_accessor scope: ("GITHUB_ORGANIZATION" | "GITHUB_GLOBAL") + attr_accessor scope: ("GITHUB_ORGANIZATION" | "GITHUB_GLOBAL" | "GITLAB_GROUP") SENSITIVE: [] end diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md index 6131b3863dc..06b11fe7bcd 100644 --- a/gems/aws-sdk-core/CHANGELOG.md +++ b/gems/aws-sdk-core/CHANGELOG.md @@ -1,6 +1,9 @@ Unreleased Changes ------------------ +3.206.0 (2024-09-17) +------------------ + * Feature - Support `sigv4a` endpoint auth without CRT. 3.205.0 (2024-09-11) diff --git a/gems/aws-sdk-core/VERSION b/gems/aws-sdk-core/VERSION index 5d9c2749905..46ab2e02764 100644 --- a/gems/aws-sdk-core/VERSION +++ b/gems/aws-sdk-core/VERSION @@ -1 +1 @@ -3.205.0 +3.206.0 diff --git a/gems/aws-sdk-core/lib/aws-sdk-sso.rb b/gems/aws-sdk-core/lib/aws-sdk-sso.rb index 21ab18392af..d4b8c65b6ef 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-sso.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-sso.rb @@ -54,6 +54,6 @@ # @!group service module Aws::SSO - GEM_VERSION = '3.205.0' + GEM_VERSION = '3.206.0' end diff --git a/gems/aws-sdk-core/lib/aws-sdk-sso/client.rb b/gems/aws-sdk-core/lib/aws-sdk-sso/client.rb index 54c8a7701a5..0a03de0dc3b 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-sso/client.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-sso/client.rb @@ -665,7 +665,7 @@ def build_request(operation_name, params = {}) tracer: tracer ) context[:gem_name] = 'aws-sdk-core' - context[:gem_version] = '3.205.0' + context[:gem_version] = '3.206.0' Seahorse::Client::Request.new(handlers, context) end diff --git a/gems/aws-sdk-core/lib/aws-sdk-ssooidc.rb b/gems/aws-sdk-core/lib/aws-sdk-ssooidc.rb index 2e203e31706..f2b6e153b19 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-ssooidc.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-ssooidc.rb @@ -54,6 +54,6 @@ # @!group service module Aws::SSOOIDC - GEM_VERSION = '3.205.0' + GEM_VERSION = '3.206.0' end diff --git a/gems/aws-sdk-core/lib/aws-sdk-ssooidc/client.rb b/gems/aws-sdk-core/lib/aws-sdk-ssooidc/client.rb index 93cf63b5100..8ff606262da 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-ssooidc/client.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-ssooidc/client.rb @@ -1018,7 +1018,7 @@ def build_request(operation_name, params = {}) tracer: tracer ) context[:gem_name] = 'aws-sdk-core' - context[:gem_version] = '3.205.0' + context[:gem_version] = '3.206.0' Seahorse::Client::Request.new(handlers, context) end diff --git a/gems/aws-sdk-core/lib/aws-sdk-sts.rb b/gems/aws-sdk-core/lib/aws-sdk-sts.rb index ce3e4f2a402..d5711f3300a 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-sts.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-sts.rb @@ -54,6 +54,6 @@ # @!group service module Aws::STS - GEM_VERSION = '3.205.0' + GEM_VERSION = '3.206.0' end diff --git a/gems/aws-sdk-core/lib/aws-sdk-sts/client.rb b/gems/aws-sdk-core/lib/aws-sdk-sts/client.rb index adb915222da..8c9d7d77912 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-sts/client.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-sts/client.rb @@ -2412,7 +2412,7 @@ def build_request(operation_name, params = {}) tracer: tracer ) context[:gem_name] = 'aws-sdk-core' - context[:gem_version] = '3.205.0' + context[:gem_version] = '3.206.0' Seahorse::Client::Request.new(handlers, context) end diff --git a/gems/aws-sdk-ecr/CHANGELOG.md b/gems/aws-sdk-ecr/CHANGELOG.md index 3a7ca380322..4c7f76a6560 100644 --- a/gems/aws-sdk-ecr/CHANGELOG.md +++ b/gems/aws-sdk-ecr/CHANGELOG.md @@ -1,6 +1,11 @@ Unreleased Changes ------------------ +1.84.0 (2024-09-17) +------------------ + +* Feature - The `DescribeImageScanning` API now includes `fixAvailable`, `exploitAvailable`, and `fixedInVersion` fields to provide more detailed information about the availability of fixes, exploits, and fixed versions for identified image vulnerabilities. + 1.83.0 (2024-09-11) ------------------ diff --git a/gems/aws-sdk-ecr/VERSION b/gems/aws-sdk-ecr/VERSION index 6b4de0a42b0..bd0f9e6c28f 100644 --- a/gems/aws-sdk-ecr/VERSION +++ b/gems/aws-sdk-ecr/VERSION @@ -1 +1 @@ -1.83.0 +1.84.0 diff --git a/gems/aws-sdk-ecr/lib/aws-sdk-ecr.rb b/gems/aws-sdk-ecr/lib/aws-sdk-ecr.rb index 21cc0ff30a6..38c9593e219 100644 --- a/gems/aws-sdk-ecr/lib/aws-sdk-ecr.rb +++ b/gems/aws-sdk-ecr/lib/aws-sdk-ecr.rb @@ -53,6 +53,6 @@ # @!group service module Aws::ECR - GEM_VERSION = '1.83.0' + GEM_VERSION = '1.84.0' end diff --git a/gems/aws-sdk-ecr/lib/aws-sdk-ecr/client.rb b/gems/aws-sdk-ecr/lib/aws-sdk-ecr/client.rb index 6a3a805d19e..b6c75bc878d 100644 --- a/gems/aws-sdk-ecr/lib/aws-sdk-ecr/client.rb +++ b/gems/aws-sdk-ecr/lib/aws-sdk-ecr/client.rb @@ -1623,6 +1623,7 @@ def describe_image_replication_status(params = {}, options = {}) # resp.image_scan_findings.enhanced_findings[0].package_vulnerability_details.vulnerable_packages[0].release #=> String # resp.image_scan_findings.enhanced_findings[0].package_vulnerability_details.vulnerable_packages[0].source_layer_hash #=> String # resp.image_scan_findings.enhanced_findings[0].package_vulnerability_details.vulnerable_packages[0].version #=> String + # resp.image_scan_findings.enhanced_findings[0].package_vulnerability_details.vulnerable_packages[0].fixed_in_version #=> String # resp.image_scan_findings.enhanced_findings[0].remediation.recommendation.url #=> String # resp.image_scan_findings.enhanced_findings[0].remediation.recommendation.text #=> String # resp.image_scan_findings.enhanced_findings[0].resources #=> Array @@ -1652,6 +1653,8 @@ def describe_image_replication_status(params = {}, options = {}) # resp.image_scan_findings.enhanced_findings[0].title #=> String # resp.image_scan_findings.enhanced_findings[0].type #=> String # resp.image_scan_findings.enhanced_findings[0].updated_at #=> Time + # resp.image_scan_findings.enhanced_findings[0].fix_available #=> String + # resp.image_scan_findings.enhanced_findings[0].exploit_available #=> String # resp.next_token #=> String # # @@ -3666,7 +3669,7 @@ def build_request(operation_name, params = {}) tracer: tracer ) context[:gem_name] = 'aws-sdk-ecr' - context[:gem_version] = '1.83.0' + context[:gem_version] = '1.84.0' Seahorse::Client::Request.new(handlers, context) end diff --git a/gems/aws-sdk-ecr/lib/aws-sdk-ecr/client_api.rb b/gems/aws-sdk-ecr/lib/aws-sdk-ecr/client_api.rb index 8d9a385eab7..38886c36aee 100644 --- a/gems/aws-sdk-ecr/lib/aws-sdk-ecr/client_api.rb +++ b/gems/aws-sdk-ecr/lib/aws-sdk-ecr/client_api.rb @@ -91,12 +91,15 @@ module ClientApi EvaluationTimestamp = Shapes::TimestampShape.new(name: 'EvaluationTimestamp') ExceptionMessage = Shapes::StringShape.new(name: 'ExceptionMessage') ExpirationTimestamp = Shapes::TimestampShape.new(name: 'ExpirationTimestamp') + ExploitAvailable = Shapes::StringShape.new(name: 'ExploitAvailable') FilePath = Shapes::StringShape.new(name: 'FilePath') FindingArn = Shapes::StringShape.new(name: 'FindingArn') FindingDescription = Shapes::StringShape.new(name: 'FindingDescription') FindingName = Shapes::StringShape.new(name: 'FindingName') FindingSeverity = Shapes::StringShape.new(name: 'FindingSeverity') FindingSeverityCounts = Shapes::MapShape.new(name: 'FindingSeverityCounts') + FixAvailable = Shapes::StringShape.new(name: 'FixAvailable') + FixedInVersion = Shapes::StringShape.new(name: 'FixedInVersion') ForceFlag = Shapes::BooleanShape.new(name: 'ForceFlag') GetAccountSettingRequest = Shapes::StructureShape.new(name: 'GetAccountSettingRequest') GetAccountSettingResponse = Shapes::StructureShape.new(name: 'GetAccountSettingResponse') @@ -637,6 +640,8 @@ module ClientApi EnhancedImageScanFinding.add_member(:title, Shapes::ShapeRef.new(shape: Title, location_name: "title")) EnhancedImageScanFinding.add_member(:type, Shapes::ShapeRef.new(shape: Type, location_name: "type")) EnhancedImageScanFinding.add_member(:updated_at, Shapes::ShapeRef.new(shape: Date, location_name: "updatedAt")) + EnhancedImageScanFinding.add_member(:fix_available, Shapes::ShapeRef.new(shape: FixAvailable, location_name: "fixAvailable")) + EnhancedImageScanFinding.add_member(:exploit_available, Shapes::ShapeRef.new(shape: ExploitAvailable, location_name: "exploitAvailable")) EnhancedImageScanFinding.struct_class = Types::EnhancedImageScanFinding EnhancedImageScanFindingList.member = Shapes::ShapeRef.new(shape: EnhancedImageScanFinding) @@ -1303,6 +1308,7 @@ module ClientApi VulnerablePackage.add_member(:release, Shapes::ShapeRef.new(shape: Release, location_name: "release")) VulnerablePackage.add_member(:source_layer_hash, Shapes::ShapeRef.new(shape: SourceLayerHash, location_name: "sourceLayerHash")) VulnerablePackage.add_member(:version, Shapes::ShapeRef.new(shape: Version, location_name: "version")) + VulnerablePackage.add_member(:fixed_in_version, Shapes::ShapeRef.new(shape: FixedInVersion, location_name: "fixedInVersion")) VulnerablePackage.struct_class = Types::VulnerablePackage VulnerablePackagesList.member = Shapes::ShapeRef.new(shape: VulnerablePackage) diff --git a/gems/aws-sdk-ecr/lib/aws-sdk-ecr/types.rb b/gems/aws-sdk-ecr/lib/aws-sdk-ecr/types.rb index fe0df4a2fbd..779ed01ac6f 100644 --- a/gems/aws-sdk-ecr/lib/aws-sdk-ecr/types.rb +++ b/gems/aws-sdk-ecr/lib/aws-sdk-ecr/types.rb @@ -1432,20 +1432,20 @@ class EmptyUploadException < Struct.new( # If you use the `KMS_DSSE` encryption type, the contents of the # repository will be encrypted with two layers of encryption using # server-side encryption with the KMS Management Service key stored in - # KMS. Similar to the KMS encryption type, you can either use the + # KMS. Similar to the `KMS` encryption type, you can either use the # default Amazon Web Services managed KMS key for Amazon ECR, or # specify your own KMS key, which you've already created. # # If you use the `AES256` encryption type, Amazon ECR uses server-side # encryption with Amazon S3-managed encryption keys which encrypts the - # images in the repository using an AES256 encryption algorithm. For - # more information, see [Protecting data using server-side encryption - # with Amazon S3-managed encryption keys (SSE-S3)][1] in the *Amazon - # Simple Storage Service Console Developer Guide*. + # images in the repository using an AES256 encryption algorithm. + # + # For more information, see [Amazon ECR encryption at rest][1] in the + # *Amazon Elastic Container Registry User Guide*. # # # - # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html + # [1]: https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html # @return [String] # # @!attribute [rw] kms_key @@ -1576,6 +1576,18 @@ class EncryptionConfigurationForRepositoryCreationTemplate < Struct.new( # The date and time the finding was last updated at. # @return [Time] # + # @!attribute [rw] fix_available + # Details on whether a fix is available through a version update. This + # value can be `YES`, `NO`, or `PARTIAL`. A `PARTIAL` fix means that + # some, but not all, of the packages identified in the finding have + # fixes available through updated versions. + # @return [String] + # + # @!attribute [rw] exploit_available + # If a finding discovered in your environment has an exploit + # available. + # @return [String] + # # @see http://docs.aws.amazon.com/goto/WebAPI/ecr-2015-09-21/EnhancedImageScanFinding AWS API Documentation # class EnhancedImageScanFinding < Struct.new( @@ -1593,7 +1605,9 @@ class EnhancedImageScanFinding < Struct.new( :status, :title, :type, - :updated_at) + :updated_at, + :fix_available, + :exploit_available) SENSITIVE = [] include Aws::Structure end @@ -4605,6 +4619,10 @@ class ValidationException < Struct.new( # The version of the vulnerable package. # @return [String] # + # @!attribute [rw] fixed_in_version + # The version of the package that contains the vulnerability fix. + # @return [String] + # # @see http://docs.aws.amazon.com/goto/WebAPI/ecr-2015-09-21/VulnerablePackage AWS API Documentation # class VulnerablePackage < Struct.new( @@ -4615,7 +4633,8 @@ class VulnerablePackage < Struct.new( :package_manager, :release, :source_layer_hash, - :version) + :version, + :fixed_in_version) SENSITIVE = [] include Aws::Structure end diff --git a/gems/aws-sdk-ecr/sig/types.rbs b/gems/aws-sdk-ecr/sig/types.rbs index cabf770afa7..8b0a34b23e0 100644 --- a/gems/aws-sdk-ecr/sig/types.rbs +++ b/gems/aws-sdk-ecr/sig/types.rbs @@ -388,6 +388,8 @@ module Aws::ECR attr_accessor title: ::String attr_accessor type: ::String attr_accessor updated_at: ::Time + attr_accessor fix_available: ::String + attr_accessor exploit_available: ::String SENSITIVE: [] end @@ -1238,6 +1240,7 @@ module Aws::ECR attr_accessor release: ::String attr_accessor source_layer_hash: ::String attr_accessor version: ::String + attr_accessor fixed_in_version: ::String SENSITIVE: [] end end diff --git a/gems/aws-sdk-ecs/CHANGELOG.md b/gems/aws-sdk-ecs/CHANGELOG.md index 24b18b211f3..c091b7a445f 100644 --- a/gems/aws-sdk-ecs/CHANGELOG.md +++ b/gems/aws-sdk-ecs/CHANGELOG.md @@ -1,6 +1,11 @@ Unreleased Changes ------------------ +1.158.0 (2024-09-17) +------------------ + +* Feature - This is a documentation only release to address various tickets. + 1.157.0 (2024-09-11) ------------------ diff --git a/gems/aws-sdk-ecs/VERSION b/gems/aws-sdk-ecs/VERSION index 36ebe49cbdd..fc8113ce413 100644 --- a/gems/aws-sdk-ecs/VERSION +++ b/gems/aws-sdk-ecs/VERSION @@ -1 +1 @@ -1.157.0 +1.158.0 diff --git a/gems/aws-sdk-ecs/lib/aws-sdk-ecs.rb b/gems/aws-sdk-ecs/lib/aws-sdk-ecs.rb index 5d5f765b557..59f88e2ecc0 100644 --- a/gems/aws-sdk-ecs/lib/aws-sdk-ecs.rb +++ b/gems/aws-sdk-ecs/lib/aws-sdk-ecs.rb @@ -53,6 +53,6 @@ # @!group service module Aws::ECS - GEM_VERSION = '1.157.0' + GEM_VERSION = '1.158.0' end diff --git a/gems/aws-sdk-ecs/lib/aws-sdk-ecs/client.rb b/gems/aws-sdk-ecs/lib/aws-sdk-ecs/client.rb index ef39915cef0..1a9fc206792 100644 --- a/gems/aws-sdk-ecs/lib/aws-sdk-ecs/client.rb +++ b/gems/aws-sdk-ecs/lib/aws-sdk-ecs/client.rb @@ -5785,9 +5785,6 @@ def list_tasks(params = {}, options = {}) # mode][3]. For more information on using IPv6 with tasks launched on # Fargate, see [Using a VPC in dual-stack mode][4]. # - # * `fargateFIPSMode` - If you specify `fargateFIPSMode`, Fargate FIPS - # 140 compliance is affected. - # # * `fargateTaskRetirementWaitPeriod` - When Amazon Web Services # determines that a security or infrastructure update is needed for an # Amazon ECS task hosted on Fargate, the tasks need to be stopped and @@ -10445,7 +10442,7 @@ def build_request(operation_name, params = {}) tracer: tracer ) context[:gem_name] = 'aws-sdk-ecs' - context[:gem_version] = '1.157.0' + context[:gem_version] = '1.158.0' Seahorse::Client::Request.new(handlers, context) end diff --git a/gems/aws-sdk-ecs/lib/aws-sdk-ecs/types.rb b/gems/aws-sdk-ecs/lib/aws-sdk-ecs/types.rb index e164bcbbd68..ab2d2c531e4 100644 --- a/gems/aws-sdk-ecs/lib/aws-sdk-ecs/types.rb +++ b/gems/aws-sdk-ecs/lib/aws-sdk-ecs/types.rb @@ -1035,7 +1035,7 @@ class Container < Struct.new( # entered in the `links` of another container to connect the # containers. Up to 255 letters (uppercase and lowercase), numbers, # underscores, and hyphens are allowed. This parameter maps to `name` - # in tthe docker conainer create command and the `--name` option to + # in the docker container create command and the `--name` option to # docker run. # @return [String] # @@ -1046,7 +1046,7 @@ class Container < Struct.new( # repository-url/image:tag ` or ` repository-url/image@digest `. Up to # 255 letters (uppercase and lowercase), numbers, hyphens, # underscores, colons, periods, forward slashes, and number signs are - # allowed. This parameter maps to `Image` in the docker conainer + # allowed. This parameter maps to `Image` in the docker container # create command and the `IMAGE` parameter of docker run. # # * When a new task starts, the Amazon ECS container agent pulls the @@ -1077,7 +1077,7 @@ class Container < Struct.new( # # @!attribute [rw] cpu # The number of `cpu` units reserved for the container. This parameter - # maps to `CpuShares` in the docker conainer create commandand the + # maps to `CpuShares` in the docker container create commandand the # `--cpu-shares` option to docker run. # # This field is optional for tasks using the Fargate launch type, and @@ -1142,9 +1142,8 @@ class Container < Struct.new( # container attempts to exceed the memory specified here, the # container is killed. The total amount of memory reserved for all # containers within a task must be lower than the task `memory` value, - # if one is specified. This parameter maps to `Memory` in thethe - # docker conainer create command and the `--memory` option to docker - # run. + # if one is specified. This parameter maps to `Memory` in the docker + # container create command and the `--memory` option to docker run. # # If using the Fargate launch type, this parameter is optional. # @@ -1172,9 +1171,8 @@ class Container < Struct.new( # consume more memory when it needs to, up to either the hard limit # specified with the `memory` parameter (if applicable), or all of the # available memory on the container instance, whichever comes first. - # This parameter maps to `MemoryReservation` in the the docker - # conainer create command and the `--memory-reservation` option to - # docker run. + # This parameter maps to `MemoryReservation` in the docker container + # create command and the `--memory-reservation` option to docker run. # # If a task-level memory value is not specified, you must specify a # non-zero integer for one or both of `memory` or `memoryReservation` @@ -1208,7 +1206,7 @@ class Container < Struct.new( # `name:internalName` construct is analogous to `name:alias` in Docker # links. Up to 255 letters (uppercase and lowercase), numbers, # underscores, and hyphens are allowed.. This parameter maps to - # `Links` in the docker conainer create command and the `--link` + # `Links` in the docker container create command and the `--link` # option to docker run. # #