Package software.amazon.awscdk

@Stability(Stable) package software.amazon.awscdk

AWS Cloud Development Kit Library

The AWS CDK construct library provides APIs to define your CDK application and add CDK constructs to the application.

Usage

Upgrade from CDK 1.x

When upgrading from CDK 1.x, remove all dependencies to individual CDK packages from your dependencies file and follow the rest of the sections.

Installation

To use this package, you need to declare this package and the constructs package as dependencies.

According to the kind of project you are developing:

For projects that are CDK libraries in NPM, declare them both under the devDependencies and peerDependencies sections. To make sure your library is compatible with the widest range of CDK versions: pick the minimum aws-cdk-lib version that your library requires; declare a range dependency with a caret on that version in peerDependencies, and declare a point version dependency on that version in devDependencies.

For example, let's say the minimum version your library needs is 2.38.0. Your package.json should look like this:

 {
   "peerDependencies": {
     "aws-cdk-lib": "^2.38.0",
     "constructs": "^10.0.0"
   },
   "devDependencies": {
     /* Install the oldest version for testing so we don't accidentally use features from a newer version than we declare */
     "aws-cdk-lib": "2.38.0"
   }
 }
 

For CDK apps, declare them under the dependencies section. Use a caret so you always get the latest version:

 {
   "dependencies": {
     "aws-cdk-lib": "^2.38.0",
     "constructs": "^10.0.0"
   }
 }
 

Use in your code

Classic import

You can use a classic import to get access to each service namespaces:

 import software.amazon.awscdk.Stack;
 import software.amazon.awscdk.App;
 import software.amazon.awscdk.services.s3.*;
 
 App app = new App();
 Stack stack = new Stack(app, "TestStack");
 
 new Bucket(stack, "TestBucket");
 

Barrel import

Alternatively, you can use "barrel" imports:

 import software.amazon.awscdk.App;
 import software.amazon.awscdk.Stack;
 import software.amazon.awscdk.services.s3.Bucket;
 
 App app = new App();
 Stack stack = new Stack(app, "TestStack");
 
 new Bucket(stack, "TestBucket");
 

Stacks and Stages

A Stack is the smallest physical unit of deployment, and maps directly onto a CloudFormation Stack. You define a Stack by defining a subclass of Stack -- let's call it MyStack -- and instantiating the constructs that make up your application in MyStack's constructor. You then instantiate this stack one or more times to define different instances of your application. For example, you can instantiate it once using few and cheap EC2 instances for testing, and once again using more and bigger EC2 instances for production.

When your application grows, you may decide that it makes more sense to split it out across multiple Stack classes. This can happen for a number of reasons:

• You could be starting to reach the maximum number of resources allowed in a single stack (this is currently 500).
• You could decide you want to separate out stateful resources and stateless resources into separate stacks, so that it becomes easy to tear down and recreate the stacks that don't have stateful resources.
• There could be a single stack with resources (like a VPC) that are shared between multiple instances of other stacks containing your applications.

As soon as your conceptual application starts to encompass multiple stacks, it is convenient to wrap them in another construct that represents your logical application. You can then treat that new unit the same way you used to be able to treat a single stack: by instantiating it multiple times for different instances of your application.

You can define a custom subclass of Stage, holding one or more Stacks, to represent a single logical instance of your application.

As a final note: Stacks are not a unit of reuse. They describe physical deployment layouts, and as such are best left to application builders to organize their deployments with. If you want to vend a reusable construct, define it as a subclasses of Construct: the consumers of your construct will decide where to place it in their own stacks.

Stack Synthesizers

Each Stack has a synthesizer, an object that determines how and where the Stack should be synthesized and deployed. The synthesizer controls aspects like:

• How does the stack reference assets? (Either through CloudFormation parameters the CLI supplies, or because the Stack knows a predefined location where assets will be uploaded).
• What roles are used to deploy the stack? These can be bootstrapped roles, roles created in some other way, or just the CLI's current credentials.

The following synthesizers are available:

• DefaultStackSynthesizer: recommended. Uses predefined asset locations and roles created by the modern bootstrap template. Access control is done by controlling who can assume the deploy role. This is the default stack synthesizer in CDKv2.
• LegacyStackSynthesizer: Uses CloudFormation parameters to communicate asset locations, and the CLI's current permissions to deploy stacks. This is the default stack synthesizer in CDKv1.
• CliCredentialsStackSynthesizer: Uses predefined asset locations, and the CLI's current permissions.

Each of these synthesizers takes configuration arguments. To configure a stack with a synthesizer, pass it as one of its properties:

 MyStack.Builder.create(app, "MyStack")
         .synthesizer(DefaultStackSynthesizer.Builder.create()
                 .fileAssetsBucketName("amzn-s3-demo-bucket")
                 .build())
         .build();
 

For more information on bootstrapping accounts and customizing synthesis, see Bootstrapping in the CDK Developer Guide.

STS Role Options

You can configure STS options that instruct the CDK CLI on which configuration should it use when assuming the various roles that are involved in a deployment operation.

Refer to the bootstrapping guide for further context.

These options are available via the DefaultStackSynthesizer properties:

 public class MyStack extends Stack {
     public MyStack(Construct scope, String id, StackProps props) {
         super(scope, id, StackProps.builder()
                 (SpreadAssignment ...props
                   props)
                 .synthesizer(DefaultStackSynthesizer.Builder.create()
                         .deployRoleExternalId("")
                         .deployRoleAdditionalOptions(Map.of())
                         .fileAssetPublishingExternalId("")
                         .fileAssetPublishingRoleAdditionalOptions(Map.of())
                         .imageAssetPublishingExternalId("")
                         .imageAssetPublishingRoleAdditionalOptions(Map.of())
                         .lookupRoleExternalId("")
                         .lookupRoleAdditionalOptions(Map.of())
                         .build())
                 .build());
     }
 }
 

Note that the *additionalOptions property does not allow passing ExternalId or RoleArn, as these options have dedicated properties that configure them.

Session Tags

STS session tags are used to implement Attribute-Based Access Control (ABAC).

See IAM tutorial: Define permissions to access AWS resources based on tags.

You can pass session tags for each role created during bootstrap via the *additionalOptions property:

 public class MyStack extends Stack {
     public MyStack(Construct parent, String id, StackProps props) {
         super(parent, id, StackProps.builder()
                 (SpreadAssignment ...props
                   props)
                 .synthesizer(DefaultStackSynthesizer.Builder.create()
                         .deployRoleAdditionalOptions(Map.of(
                                 "Tags", List.of(Map.of("Key", "Department", "Value", "Engineering"))))
                         .fileAssetPublishingRoleAdditionalOptions(Map.of(
                                 "Tags", List.of(Map.of("Key", "Department", "Value", "Engineering"))))
                         .imageAssetPublishingRoleAdditionalOptions(Map.of(
                                 "Tags", List.of(Map.of("Key", "Department", "Value", "Engineering"))))
                         .lookupRoleAdditionalOptions(Map.of(
                                 "Tags", List.of(Map.of("Key", "Department", "Value", "Engineering"))))
                         .build())
                 .build());
     }
 }
 

This will cause the CDK CLI to include session tags when assuming each of these roles during deployment. Note that the trust policy of the role must contain permissions for the sts:TagSession action.

Refer to the IAM user guide on session tags.

• If you are using a custom bootstrap template, make sure the template includes these permissions.
• If you are using the default bootstrap template from a CDK version lower than XXXX, you will need to rebootstrap your enviroment (once).

Nested Stacks

Nested stacks are stacks created as part of other stacks. You create a nested stack within another stack by using the NestedStack construct.

As your infrastructure grows, common patterns can emerge in which you declare the same components in multiple templates. You can separate out these common components and create dedicated templates for them. Then use the resource in your template to reference other templates, creating nested stacks.

For example, assume that you have a load balancer configuration that you use for most of your stacks. Instead of copying and pasting the same configurations into your templates, you can create a dedicated template for the load balancer. Then, you just use the resource to reference that template from within other templates.

The following example will define a single top-level stack that contains two nested stacks: each one with a single Amazon S3 bucket:

 public class MyNestedStack extends NestedStack {
     public MyNestedStack(Construct scope, String id) {
         this(scope, id, null);
     }
 
     public MyNestedStack(Construct scope, String id, NestedStackProps props) {
         super(scope, id, props);
 
         new Bucket(this, "NestedBucket");
     }
 }
 
 public class MyParentStack extends Stack {
     public MyParentStack(Construct scope, String id) {
         this(scope, id, null);
     }
 
     public MyParentStack(Construct scope, String id, StackProps props) {
         super(scope, id, props);
 
         new MyNestedStack(this, "Nested1");
         new MyNestedStack(this, "Nested2");
     }
 }
 

Resources references across nested/parent boundaries (even with multiple levels of nesting) will be wired by the AWS CDK through CloudFormation parameters and outputs. When a resource from a parent stack is referenced by a nested stack, a CloudFormation parameter will automatically be added to the nested stack and assigned from the parent; when a resource from a nested stack is referenced by a parent stack, a CloudFormation output will be automatically be added to the nested stack and referenced using Fn::GetAtt "Outputs.Xxx" from the parent.

Nested stacks also support the use of Docker image and file assets.

Accessing resources in a different stack

You can access resources in a different stack, as long as they are in the same account and AWS Region (see next section for an exception). The following example defines the stack stack1, which defines an Amazon S3 bucket. Then it defines a second stack, stack2, which takes the bucket from stack1 as a constructor property.

 Map<String, String> prod = Map.of("account", "123456789012", "region", "us-east-1");
 
 StackThatProvidesABucket stack1 = StackThatProvidesABucket.Builder.create(app, "Stack1").env(prod).build();
 
 // stack2 will take a property { bucket: IBucket }
 StackThatExpectsABucket stack2 = new StackThatExpectsABucket(app, "Stack2", new StackThatExpectsABucketProps()
         .bucket(stack1.getBucket())
         .env(prod)
         );
 

If the AWS CDK determines that the resource is in the same account and Region, but in a different stack, it automatically synthesizes AWS CloudFormation Exports in the producing stack and an Fn::ImportValue in the consuming stack to transfer that information from one stack to the other.

Accessing resources in a different stack and region

This feature is currently experimental

You can enable the Stack property crossRegionReferences in order to access resources in a different stack and region. With this feature flag enabled it is possible to do something like creating a CloudFront distribution in us-east-2 and an ACM certificate in us-east-1.

 Stack stack1 = Stack.Builder.create(app, "Stack1")
         .env(Environment.builder()
                 .region("us-east-1")
                 .build())
         .crossRegionReferences(true)
         .build();
 Certificate cert = Certificate.Builder.create(stack1, "Cert")
         .domainName("*.example.com")
         .validation(CertificateValidation.fromDns(PublicHostedZone.fromHostedZoneId(stack1, "Zone", "Z0329774B51CGXTDQV3X")))
         .build();
 
 Stack stack2 = Stack.Builder.create(app, "Stack2")
         .env(Environment.builder()
                 .region("us-east-2")
                 .build())
         .crossRegionReferences(true)
         .build();
 Distribution.Builder.create(stack2, "Distribution")
         .defaultBehavior(BehaviorOptions.builder()
                 .origin(new HttpOrigin("example.com"))
                 .build())
         .domainNames(List.of("dev.example.com"))
         .certificate(cert)
         .build();
 

When the AWS CDK determines that the resource is in a different stack and is in a different region, it will "export" the value by creating a custom resource in the producing stack which creates SSM Parameters in the consuming region for each exported value. The parameters will be created with the name '/cdk/exports/${consumingStackName}/${export-name}'. In order to "import" the exports into the consuming stack a SSM Dynamic reference is used to reference the SSM parameter which was created.

In order to mimic strong references, a Custom Resource is also created in the consuming stack which marks the SSM parameters as being "imported". When a parameter has been successfully imported, the producing stack cannot update the value.

[!NOTE] As a consequence of this feature being built on a Custom Resource, we are restricted to a CloudFormation response body size limitation of 4096 bytes. To prevent deployment errors related to the Custom Resource Provider response body being too large, we recommend limiting the use of nested stacks and minimizing the length of stack names. Doing this will prevent SSM parameter names from becoming too long which will reduce the size of the response body.

See the adr for more details on this feature.

Removing automatic cross-stack references

The automatic references created by CDK when you use resources across stacks are convenient, but may block your deployments if you want to remove the resources that are referenced in this way. You will see an error like:

 Export Stack1:ExportsOutputFnGetAtt-****** cannot be deleted as it is in use by Stack1
 

Let's say there is a Bucket in the stack1, and the stack2 references its bucket.bucketName. You now want to remove the bucket and run into the error above.

It's not safe to remove stack1.bucket while stack2 is still using it, so unblocking yourself from this is a two-step process. This is how it works:

DEPLOYMENT 1: break the relationship

• Make sure stack2 no longer references bucket.bucketName (maybe the consumer stack now uses its own bucket, or it writes to an AWS DynamoDB table, or maybe you just remove the Lambda Function altogether).
• In the stack1 class, call this.exportValue(this.bucket.bucketName). This will make sure the CloudFormation Export continues to exist while the relationship between the two stacks is being broken.
• Deploy (this will effectively only change the stack2, but it's safe to deploy both).

DEPLOYMENT 2: remove the resource

• You are now free to remove the bucket resource from stack1.
• Don't forget to remove the exportValue() call as well.
• Deploy again (this time only the stack1 will be changed -- the bucket will be deleted).

Durations

To make specifications of time intervals unambiguous, a single class called Duration is used throughout the AWS Construct Library by all constructs that that take a time interval as a parameter (be it for a timeout, a rate, or something else).

An instance of Duration is constructed by using one of the static factory methods on it:

 Duration.seconds(300); // 5 minutes
 Duration.minutes(5); // 5 minutes
 Duration.hours(1); // 1 hour
 Duration.days(7); // 7 days
 Duration.parse("PT5M");
 

Durations can be added or subtracted together:

 Duration.minutes(1).plus(Duration.seconds(60)); // 2 minutes
 Duration.minutes(5).minus(Duration.seconds(10));
 

Size (Digital Information Quantity)

To make specification of digital storage quantities unambiguous, a class called Size is available.

An instance of Size is initialized through one of its static factory methods:

 Size.kibibytes(200); // 200 KiB
 Size.mebibytes(5); // 5 MiB
 Size.gibibytes(40); // 40 GiB
 Size.tebibytes(200); // 200 TiB
 Size.pebibytes(3);
 

Instances of Size created with one of the units can be converted into others. By default, conversion to a higher unit will fail if the conversion does not produce a whole number. This can be overridden by unsetting integral property.

 Size.mebibytes(2).toKibibytes(); // yields 2048
 Size.kibibytes(2050).toMebibytes(SizeConversionOptions.builder().rounding(SizeRoundingBehavior.FLOOR).build());
 

Secrets

To help avoid accidental storage of secrets as plain text, we use the SecretValue type to represent secrets. Any construct that takes a value that should be a secret (such as a password or an access key) will take a parameter of type SecretValue.

The best practice is to store secrets in AWS Secrets Manager and reference them using SecretValue.secretsManager:

 SecretValue secret = SecretValue.secretsManager("secretId", SecretsManagerSecretOptions.builder()
         .jsonField("password") // optional: key of a JSON field to retrieve (defaults to all content),
         .versionId("id") // optional: id of the version (default AWSCURRENT)
         .versionStage("stage")
         .build());
 

Using AWS Secrets Manager is the recommended way to reference secrets in a CDK app. SecretValue also supports the following secret sources:

• SecretValue.unsafePlainText(secret): stores the secret as plain text in your app and the resulting template (not recommended).
• SecretValue.secretsManager(secret): refers to a secret stored in Secrets Manager
• SecretValue.ssmSecure(param, version): refers to a secret stored as a SecureString in the SSM Parameter Store. If you don't specify the exact version, AWS CloudFormation uses the latest version of the parameter.
• SecretValue.cfnParameter(param): refers to a secret passed through a CloudFormation parameter (must have NoEcho: true).
• SecretValue.cfnDynamicReference(dynref): refers to a secret described by a CloudFormation dynamic reference (used by ssmSecure and secretsManager).
• SecretValue.resourceAttribute(attr): refers to a secret returned from a CloudFormation resource creation.

SecretValues should only be passed to constructs that accept properties of type SecretValue. These constructs are written to ensure your secrets will not be exposed where they shouldn't be. If you try to use a SecretValue in a different location, an error about unsafe secret usage will be thrown at synthesis time.

If you rotate the secret's value in Secrets Manager, you must also change at least one property on the resource where you are using the secret, to force CloudFormation to re-read the secret.

SecretValue.ssmSecure() is only supported for a limited set of resources. Click here for a list of supported resources and properties.

SecretValue.cfnDynamicReferenceKey takes the same parameters as SecretValue.secretsManager and returns a key which can be used within a dynamic reference to dynamically load a secret from AWS Secrets Manager.

ARN manipulation

Sometimes you will need to put together or pick apart Amazon Resource Names (ARNs). The functions stack.formatArn() and stack.splitArn() exist for this purpose.

formatArn() can be used to build an ARN from components. It will automatically use the region and account of the stack you're calling it on:

 Stack stack;
 
 
 // Builds "arn:<PARTITION>:lambda:<REGION>:<ACCOUNT>:function:MyFunction"
 stack.formatArn(ArnComponents.builder()
         .service("lambda")
         .resource("function")
         .arnFormat(ArnFormat.COLON_RESOURCE_NAME)
         .resourceName("MyFunction")
         .build());
 

splitArn() can be used to get a single component from an ARN. splitArn() will correctly deal with both literal ARNs and deploy-time values (tokens), but in case of a deploy-time value be aware that the result will be another deploy-time value which cannot be inspected in the CDK application.

 Stack stack;
 
 
 // Extracts the function name out of an AWS Lambda Function ARN
 ArnComponents arnComponents = stack.splitArn(arn, ArnFormat.COLON_RESOURCE_NAME);
 String functionName = arnComponents.getResourceName();
 

Note that the format of the resource separator depends on the service and may be any of the values supported by ArnFormat. When dealing with these functions, it is important to know the format of the ARN you are dealing with.

For an exhaustive list of ARN formats used in AWS, see AWS ARNs and Namespaces in the AWS General Reference.

Dependencies

Construct Dependencies

Sometimes AWS resources depend on other resources, and the creation of one resource must be completed before the next one can be started.

In general, CloudFormation will correctly infer the dependency relationship between resources based on the property values that are used. In the cases where it doesn't, the AWS Construct Library will add the dependency relationship for you.

If you need to add an ordering dependency that is not automatically inferred, you do so by adding a dependency relationship using constructA.node.addDependency(constructB). This will add a dependency relationship between all resources in the scope of constructA and all resources in the scope of constructB.

If you want a single object to represent a set of constructs that are not necessarily in the same scope, you can use a DependencyGroup. The following creates a single object that represents a dependency on two constructs, constructB and constructC:

 // Declare the dependable object
 DependencyGroup bAndC = new DependencyGroup();
 bAndC.add(constructB);
 bAndC.add(constructC);
 
 // Take the dependency
 constructA.node.addDependency(bAndC);
 

Stack Dependencies

Two different stack instances can have a dependency on one another. This happens when an resource from one stack is referenced in another stack. In that case, CDK records the cross-stack referencing of resources, automatically produces the right CloudFormation primitives, and adds a dependency between the two stacks. You can also manually add a dependency between two stacks by using the stackA.addDependency(stackB) method.

A stack dependency has the following implications:

• Cyclic dependencies are not allowed, so if stackA is using resources from stackB, the reverse is not possible anymore.
• Stacks with dependencies between them are treated specially by the CDK toolkit:
  • If stackA depends on stackB, running cdk deploy stackA will also automatically deploy stackB.
  • stackB's deployment will be performed before stackA's deployment.

CfnResource Dependencies

To make declaring dependencies between CfnResource objects easier, you can declare dependencies from one CfnResource object on another by using the cfnResource1.addDependency(cfnResource2) method. This method will work for resources both within the same stack and across stacks as it detects the relative location of the two resources and adds the dependency either to the resource or between the relevant stacks, as appropriate. If more complex logic is in needed, you can similarly remove, replace, or view dependencies between CfnResource objects with the CfnResource removeDependency, replaceDependency, and obtainDependencies methods, respectively.

Custom Resources

Custom Resources are CloudFormation resources that are implemented by arbitrary user code. They can do arbitrary lookups or modifications during a CloudFormation deployment.

Custom resources are backed by custom resource providers. Commonly, these are Lambda Functions that are deployed in the same deployment as the one that defines the custom resource itself, but they can also be backed by Lambda Functions deployed previously, or code responding to SNS Topic events running on EC2 instances in a completely different account. For more information on custom resource providers, see the next section.

Once you have a provider, each definition of a CustomResource construct represents one invocation. A single provider can be used for the implementation of arbitrarily many custom resource definitions. A single definition looks like this:

 CustomResource.Builder.create(this, "MyMagicalResource")
         .resourceType("Custom::MyCustomResource") // must start with 'Custom::'
 
         // the resource properties
         // properties like serviceToken or serviceTimeout are ported into properties automatically
         // try not to use key names similar to these or there will be a risk of overwriting those values
         .properties(Map.of(
                 "Property1", "foo",
                 "Property2", "bar"))
 
         // the ARN of the provider (SNS/Lambda) which handles
         // CREATE, UPDATE or DELETE events for this resource type
         // see next section for details
         .serviceToken("ARN")
 
         // the maximum time, in seconds, that can elapse before a custom resource operation times out.
         .serviceTimeout(Duration.seconds(60))
         .build();
 

Custom Resource Providers

Custom resources are backed by a custom resource provider which can be implemented in one of the following ways. The following table compares the various provider types (ordered from low-level to high-level):

| Provider | Compute Type | Error Handling | Submit to CloudFormation | Max Timeout | Language | Footprint | | -------------------------------------------------------------------- | :----------: | :------------: | :----------------------: | :-------------: | :------: | :-------: | | sns.Topic | Self-managed | Manual | Manual | Unlimited | Any | Depends | | lambda.Function | AWS Lambda | Manual | Manual | 15min | Any | Small | | core.CustomResourceProvider | AWS Lambda | Auto | Auto | 15min | Node.js | Small | | custom-resources.Provider | AWS Lambda | Auto | Auto | Unlimited Async | Any | Large |

Legend:

• Compute type: which type of compute can be used to execute the handler.
• Error Handling: whether errors thrown by handler code are automatically trapped and a FAILED response is submitted to CloudFormation. If this is "Manual", developers must take care of trapping errors. Otherwise, events could cause stacks to hang.
• Submit to CloudFormation: whether the framework takes care of submitting SUCCESS/FAILED responses to CloudFormation through the event's response URL.
• Max Timeout: maximum allows/possible timeout.
• Language: which programming languages can be used to implement handlers.
• Footprint: how many resources are used by the provider framework itself.

A note about singletons

When defining resources for a custom resource provider, you will likely want to define them as a stack singleton so that only a single instance of the provider is created in your stack and which is used by all custom resources of that type.

Here is a basic pattern for defining stack singletons in the CDK. The following examples ensures that only a single SNS topic is defined:

 public Topic getOrCreate(Construct scope) {
     Stack stack = Stack.of(scope);
     String uniqueid = "GloballyUniqueIdForSingleton"; // For example, a UUID from `uuidgen`
     IConstruct existing = stack.node.tryFindChild(uniqueid);
     if (existing) {
         return (Topic)existing;
     }
     return new Topic(stack, uniqueid);
 }
 

Amazon SNS Topic

Every time a resource event occurs (CREATE/UPDATE/DELETE), an SNS notification is sent to the SNS topic. Users must process these notifications (e.g. through a fleet of worker hosts) and submit success/failure responses to the CloudFormation service.

You only need to use this type of provider if your custom resource cannot run on AWS Lambda, for reasons other than the 15 minute timeout. If you are considering using this type of provider because you want to write a custom resource provider that may need to wait for more than 15 minutes for the API calls to stabilize, have a look at the custom-resources module first.

Refer to the CloudFormation Custom Resource documentation for information on the contract your custom resource needs to adhere to.

Set serviceToken to topic.topicArn in order to use this provider:

 Topic topic = new Topic(this, "MyProvider");
 
 CustomResource.Builder.create(this, "MyResource")
         .serviceToken(topic.getTopicArn())
         .build();
 

AWS Lambda Function

An AWS lambda function is called directly by CloudFormation for all resource events. The handler must take care of explicitly submitting a success/failure response to the CloudFormation service and handle various error cases.

We do not recommend you use this provider type. The CDK has wrappers around Lambda Functions that make them easier to work with.

If you do want to use this provider, refer to the CloudFormation Custom Resource documentation for information on the contract your custom resource needs to adhere to.

Set serviceToken to lambda.functionArn to use this provider:

 SingletonFunction fn = new SingletonFunction(this, "MyProvider", functionProps);
 
 CustomResource.Builder.create(this, "MyResource")
         .serviceToken(fn.getFunctionArn())
         .build();
 

The core.CustomResourceProvider class

The class @aws-cdk/core.CustomResourceProvider offers a basic low-level framework designed to implement simple and slim custom resource providers. It currently only supports Node.js-based user handlers, represents permissions as raw JSON blobs instead of iam.PolicyStatement objects, and it does not have support for asynchronous waiting (handler cannot exceed the 15min lambda timeout). The CustomResourceProviderRuntime supports runtime nodejs12.x, nodejs14.x, nodejs16.x, nodejs18.x.

As an application builder, we do not recommend you use this provider type. This provider exists purely for custom resources that are part of the AWS Construct Library.

The custom-resources provider is more convenient to work with and more fully-featured.

The provider has a built-in singleton method which uses the resource type as a stack-unique identifier and returns the service token:

 String serviceToken = CustomResourceProvider.getOrCreate(this, "Custom::MyCustomResourceType", CustomResourceProviderProps.builder()
         .codeDirectory(String.format("%s/my-handler", __dirname))
         .runtime(CustomResourceProviderRuntime.NODEJS_18_X)
         .description("Lambda function created by the custom resource provider")
         .build());
 
 CustomResource.Builder.create(this, "MyResource")
         .resourceType("Custom::MyCustomResourceType")
         .serviceToken(serviceToken)
         .build();
 

The directory (my-handler in the above example) must include an index.js file. It cannot import external dependencies or files outside this directory. It must export an async function named handler. This function accepts the CloudFormation resource event object and returns an object with the following structure:

 exports.handler = async function(event) {
   const id = event.PhysicalResourceId; // only for "Update" and "Delete"
   const props = event.ResourceProperties;
   const oldProps = event.OldResourceProperties; // only for "Update"s
 
   switch (event.RequestType) {
     case "Create":
       // ...
 
     case "Update":
       // ...
 
       // if an error is thrown, a FAILED response will be submitted to CFN
       throw new Error('Failed!');
 
     case "Delete":
       // ...
   }
 
   return {
     // (optional) the value resolved from `resource.ref`
     // defaults to "event.PhysicalResourceId" or "event.RequestId"
     PhysicalResourceId: "REF",
 
     // (optional) calling `resource.getAtt("Att1")` on the custom resource in the CDK app
     // will return the value "BAR".
     Data: {
       Att1: "BAR",
       Att2: "BAZ"
     },
 
     // (optional) user-visible message
     Reason: "User-visible message",
 
     // (optional) hides values from the console
     NoEcho: true
   };
 }
 

Here is an complete example of a custom resource that summarizes two numbers:

sum-handler/index.js:

 exports.handler = async (e) => {
   return {
     Data: {
       Result: e.ResourceProperties.lhs + e.ResourceProperties.rhs,
     },
   };
 };
 

sum.ts:

 import software.constructs.Construct;
 import software.amazon.awscdk.CustomResource;
 import software.amazon.awscdk.CustomResourceProvider;
 import software.amazon.awscdk.CustomResourceProviderRuntime;
 import software.amazon.awscdk.Token;
 
 public class SumProps {
     private Number lhs;
     public Number getLhs() {
         return this.lhs;
     }
     public SumProps lhs(Number lhs) {
         this.lhs = lhs;
         return this;
     }
     private Number rhs;
     public Number getRhs() {
         return this.rhs;
     }
     public SumProps rhs(Number rhs) {
         this.rhs = rhs;
         return this;
     }
 }
 
 public class Sum extends Construct {
     public final Number result;
 
     public Sum(Construct scope, String id, SumProps props) {
         super(scope, id);
 
         String resourceType = "Custom::Sum";
         String serviceToken = CustomResourceProvider.getOrCreate(this, resourceType, CustomResourceProviderProps.builder()
                 .codeDirectory(String.format("%s/sum-handler", __dirname))
                 .runtime(CustomResourceProviderRuntime.NODEJS_18_X)
                 .build());
 
         CustomResource resource = CustomResource.Builder.create(this, "Resource")
                 .resourceType(resourceType)
                 .serviceToken(serviceToken)
                 .properties(Map.of(
                         "lhs", props.getLhs(),
                         "rhs", props.getRhs()))
                 .build();
 
         this.result = Token.asNumber(resource.getAtt("Result"));
     }
 }
 

Usage will look like this:

 Sum sum = new Sum(this, "MySum", new SumProps().lhs(40).rhs(2));
 CfnOutput.Builder.create(this, "Result").value(Token.asString(sum.getResult())).build();
 

To access the ARN of the provider's AWS Lambda function role, use the getOrCreateProvider() built-in singleton method:

 CustomResourceProvider provider = CustomResourceProvider.getOrCreateProvider(this, "Custom::MyCustomResourceType", CustomResourceProviderProps.builder()
         .codeDirectory(String.format("%s/my-handler", __dirname))
         .runtime(CustomResourceProviderRuntime.NODEJS_18_X)
         .build());
 
 String roleArn = provider.getRoleArn();
 

This role ARN can then be used in resource-based IAM policies.

To add IAM policy statements to this role, use addToRolePolicy():

 CustomResourceProvider provider = CustomResourceProvider.getOrCreateProvider(this, "Custom::MyCustomResourceType", CustomResourceProviderProps.builder()
         .codeDirectory(String.format("%s/my-handler", __dirname))
         .runtime(CustomResourceProviderRuntime.NODEJS_18_X)
         .build());
 provider.addToRolePolicy(Map.of(
         "Effect", "Allow",
         "Action", "s3:GetObject",
         "Resource", "*"));
 

Note that addToRolePolicy() uses direct IAM JSON policy blobs, not a iam.PolicyStatement object like you will see in the rest of the CDK.

The Custom Resource Provider Framework

The @aws-cdk/custom-resources module includes an advanced framework for implementing custom resource providers.

Handlers are implemented as AWS Lambda functions, which means that they can be implemented in any Lambda-supported runtime. Furthermore, this provider has an asynchronous mode, which means that users can provide an isComplete lambda function which is called periodically until the operation is complete. This allows implementing providers that can take up to two hours to stabilize.

Set serviceToken to provider.serviceToken to use this type of provider:

 Provider provider = Provider.Builder.create(this, "MyProvider")
         .onEventHandler(onEventHandler)
         .isCompleteHandler(isCompleteHandler)
         .build();
 
 CustomResource.Builder.create(this, "MyResource")
         .serviceToken(provider.getServiceToken())
         .build();
 

See the documentation for more details.

AWS CloudFormation features

A CDK stack synthesizes to an AWS CloudFormation Template. This section explains how this module allows users to access low-level CloudFormation features when needed.

Stack Outputs

CloudFormation stack outputs and exports are created using the CfnOutput class:

 CfnOutput.Builder.create(this, "OutputName")
         .value(myBucket.getBucketName())
         .description("The name of an S3 bucket") // Optional
         .exportName("TheAwesomeBucket")
         .build();
 

You can also use the exportValue method to export values as stack outputs:

 Stack stack;
 
 
 stack.exportValue(myBucket.getBucketName(), ExportValueOptions.builder()
         .name("TheAwesomeBucket")
         .description("The name of an S3 bucket")
         .build());
 

Parameters

CloudFormation templates support the use of Parameters to customize a template. They enable CloudFormation users to input custom values to a template each time a stack is created or updated. While the CDK design philosophy favors using build-time parameterization, users may need to use CloudFormation in a number of cases (for example, when migrating an existing stack to the AWS CDK).

Template parameters can be added to a stack by using the CfnParameter class:

 CfnParameter.Builder.create(this, "MyParameter")
         .type("Number")
         .default(1337)
         .build();
 

The value of parameters can then be obtained using one of the value methods. As parameters are only resolved at deployment time, the values obtained are placeholder tokens for the real value (Token.isUnresolved() would return true for those):

 CfnParameter param = CfnParameter.Builder.create(this, "ParameterName").build();
 
 // If the parameter is a String
 param.getValueAsString();
 
 // If the parameter is a Number
 param.getValueAsNumber();
 
 // If the parameter is a List
 param.getValueAsList();
 

Pseudo Parameters

CloudFormation supports a number of pseudo parameters, which resolve to useful values at deployment time. CloudFormation pseudo parameters can be obtained from static members of the Aws class.

It is generally recommended to access pseudo parameters from the scope's stack instead, which guarantees the values produced are qualifying the designated stack, which is essential in cases where resources are shared cross-stack:

 // "this" is the current construct
 Stack stack = Stack.of(this);
 
 stack.getAccount(); // Returns the AWS::AccountId for this stack (or the literal value if known)
 stack.getRegion(); // Returns the AWS::Region for this stack (or the literal value if known)
 stack.getPartition();
 

Resource Options

CloudFormation resources can also specify resource attributes. The CfnResource class allows accessing those through the cfnOptions property:

 CfnBucket rawBucket = CfnBucket.Builder.create(this, "Bucket").build();
 // -or-
 CfnBucket rawBucketAlt = (CfnBucket)myBucket.getNode().getDefaultChild();
 
 // then
 rawBucket.getCfnOptions().getCondition() = CfnCondition.Builder.create(this, "EnableBucket").build();
 rawBucket.getCfnOptions().getMetadata() = Map.of(
         "metadataKey", "MetadataValue");
 

Resource dependencies (the DependsOn attribute) is modified using the cfnResource.addDependency method:

 CfnResource resourceA = new CfnResource(this, "ResourceA", resourceProps);
 CfnResource resourceB = new CfnResource(this, "ResourceB", resourceProps);
 
 resourceB.addDependency(resourceA);
 

CreationPolicy

Some resources support a CreationPolicy to be specified as a CfnOption.

The creation policy is invoked only when AWS CloudFormation creates the associated resource. Currently, the only AWS CloudFormation resources that support creation policies are CfnAutoScalingGroup, CfnInstance, CfnWaitCondition and CfnFleet.

The CfnFleet resource from the aws-appstream module supports specifying startFleet as a property of the creationPolicy on the resource options. Setting it to true will make AWS CloudFormation wait until the fleet is started before continuing with the creation of resources that depend on the fleet resource.

 CfnFleet fleet = CfnFleet.Builder.create(this, "Fleet")
         .instanceType("stream.standard.small")
         .name("Fleet")
         .computeCapacity(ComputeCapacityProperty.builder()
                 .desiredInstances(1)
                 .build())
         .imageName("AppStream-AmazonLinux2-09-21-2022")
         .build();
 fleet.getCfnOptions().getCreationPolicy() = CfnCreationPolicy.builder()
         .startFleet(true)
         .build();
 

The properties passed to the level 2 constructs AutoScalingGroup and Instance from the aws-ec2 module abstract what is passed into the CfnOption properties resourceSignal and autoScalingCreationPolicy, but when using level 1 constructs you can specify these yourself.

The CfnWaitCondition resource from the aws-cloudformation module supports the resourceSignal. The format of the timeout is PT#H#M#S. In the example below AWS Cloudformation will wait for 3 success signals to occur within 15 minutes before the status of the resource will be set to CREATE_COMPLETE.

 CfnResource resource;
 
 
 resource.getCfnOptions().getCreationPolicy() = CfnCreationPolicy.builder()
         .resourceSignal(CfnResourceSignal.builder()
                 .count(3)
                 .timeout("PR15M")
                 .build())
         .build();
 

Intrinsic Functions and Condition Expressions

CloudFormation supports intrinsic functions. These functions can be accessed from the Fn class, which provides type-safe methods for each intrinsic function as well as condition expressions:

 Object myObjectOrArray;
 Object myArray;
 
 
 // To use Fn::Base64
 Fn.base64("SGVsbG8gQ0RLIQo=");
 
 // To compose condition expressions:
 CfnParameter environmentParameter = new CfnParameter(this, "Environment");
 Fn.conditionAnd(Fn.conditionEquals("Production", environmentParameter), Fn.conditionNot(Fn.conditionEquals("us-east-1", Aws.REGION)));
 
 // To use Fn::ToJsonString
 Fn.toJsonString(myObjectOrArray);
 
 // To use Fn::Length
 Fn.len(Fn.split(",", myArray));
 

When working with deploy-time values (those for which Token.isUnresolved returns true), idiomatic conditionals from the programming language cannot be used (the value will not be known until deployment time). When conditional logic needs to be expressed with un-resolved values, it is necessary to use CloudFormation conditions by means of the CfnCondition class:

 CfnParameter environmentParameter = new CfnParameter(this, "Environment");
 CfnCondition isProd = CfnCondition.Builder.create(this, "IsProduction")
         .expression(Fn.conditionEquals("Production", environmentParameter))
         .build();
 
 // Configuration value that is a different string based on IsProduction
 String stage = Fn.conditionIf(isProd.logicalId, "Beta", "Prod").toString();
 
 // Make Bucket creation condition to IsProduction by accessing
 // and overriding the CloudFormation resource
 Bucket bucket = new Bucket(this, "Bucket");
 CfnBucket cfnBucket = (CfnBucket)myBucket.getNode().getDefaultChild();
 cfnBucket.getCfnOptions().getCondition() = isProd;
 

Mappings

CloudFormation mappings are created and queried using the CfnMappings class:

 CfnMapping regionTable = CfnMapping.Builder.create(this, "RegionTable")
         .mapping(Map.of(
                 "us-east-1", Map.of(
                         "regionName", "US East (N. Virginia)"),
                 "us-east-2", Map.of(
                         "regionName", "US East (Ohio)")))
         .build();
 
 regionTable.findInMap(Aws.REGION, "regionName");
 

This will yield the following template:

 Mappings:
   RegionTable:
     us-east-1:
       regionName: US East (N. Virginia)
     us-east-2:
       regionName: US East (Ohio)
 

Mappings can also be synthesized "lazily"; lazy mappings will only render a "Mappings" section in the synthesized CloudFormation template if some findInMap call is unable to immediately return a concrete value due to one or both of the keys being unresolved tokens (some value only available at deploy-time).

For example, the following code will not produce anything in the "Mappings" section. The call to findInMap will be able to resolve the value during synthesis and simply return 'US East (Ohio)'.

 CfnMapping regionTable = CfnMapping.Builder.create(this, "RegionTable")
         .mapping(Map.of(
                 "us-east-1", Map.of(
                         "regionName", "US East (N. Virginia)"),
                 "us-east-2", Map.of(
                         "regionName", "US East (Ohio)")))
         .lazy(true)
         .build();
 
 regionTable.findInMap("us-east-2", "regionName");
 

On the other hand, the following code will produce the "Mappings" section shown above, since the top-level key is an unresolved token. The call to findInMap will return a token that resolves to { "Fn::FindInMap": [ "RegionTable", { "Ref": "AWS::Region" }, "regionName" ] }.

 CfnMapping regionTable;
 
 
 regionTable.findInMap(Aws.REGION, "regionName");
 

An optional default value can also be passed to findInMap. If either key is not found in the map and the mapping is lazy, findInMap will return the default value and not render the mapping. If the mapping is not lazy or either key is an unresolved token, the call to findInMap will return a token that resolves to { "Fn::FindInMap": [ "MapName", "TopLevelKey", "SecondLevelKey", { "DefaultValue": "DefaultValue" } ] }, and the mapping will be rendered. Note that the AWS::LanguageExtentions transform is added to enable the default value functionality.

For example, the following code will again not produce anything in the "Mappings" section. The call to findInMap will be able to resolve the value during synthesis and simply return 'Region not found'.

 CfnMapping regionTable = CfnMapping.Builder.create(this, "RegionTable")
         .mapping(Map.of(
                 "us-east-1", Map.of(
                         "regionName", "US East (N. Virginia)"),
                 "us-east-2", Map.of(
                         "regionName", "US East (Ohio)")))
         .lazy(true)
         .build();
 
 regionTable.findInMap("us-west-1", "regionName", "Region not found");
 

Dynamic References

CloudFormation supports dynamically resolving values for SSM parameters (including secure strings) and Secrets Manager. Encoding such references is done using the CfnDynamicReference class:

 new CfnDynamicReference(CfnDynamicReferenceService.SECRETS_MANAGER, "secret-id:secret-string:json-key:version-stage:version-id");
 

RemovalPolicies

The RemovalPolicies class provides a convenient way to manage removal policies for AWS CDK resources within a construct scope. It allows you to apply removal policies to multiple resources at once, with options to include or exclude specific resource types.

 Construct scope;
 Construct parent;
 CfnBucket bucket;
 
 
 // Apply DESTROY policy to all resources in a scope
 RemovalPolicies.of(scope).destroy();
 
 // Apply RETAIN policy to all resources in a scope
 RemovalPolicies.of(scope).retain();
 
 // Apply SNAPSHOT policy to all resources in a scope
 RemovalPolicies.of(scope).snapshot();
 
 // Apply RETAIN_ON_UPDATE_OR_DELETE policy to all resources in a scope
 RemovalPolicies.of(scope).retainOnUpdateOrDelete();
 
 // Apply RETAIN policy only to specific resource types
 RemovalPolicies.of(parent).retain(RemovalPolicyProps.builder()
         .applyToResourceTypes(List.of("AWS::DynamoDB::Table", bucket.getCfnResourceType(), CfnDBInstance.CFN_RESOURCE_TYPE_NAME))
         .build());
 
 // Apply SNAPSHOT policy excluding specific resource types
 RemovalPolicies.of(scope).snapshot(RemovalPolicyProps.builder()
         .excludeResourceTypes(List.of("AWS::Test::Resource"))
         .build());
 

RemovalPolicies vs MissingRemovalPolicies

CDK provides two different classes for managing removal policies:

• RemovalPolicies: Always applies the specified removal policy, overriding any existing policies.
• MissingRemovalPolicies: Applies the removal policy only to resources that don't already have a policy set.

 // Override any existing policies
 RemovalPolicies.of(scope).retain();
 
 // Only apply to resources without existing policies
 MissingRemovalPolicies.of(scope).retain();
 

Aspect Priority

Both RemovalPolicies and MissingRemovalPolicies are implemented as Aspects. You can control the order in which they're applied using the priority parameter:

 Stack stack;
 
 
 // Apply in a specific order based on priority
 RemovalPolicies.of(stack).retain(RemovalPolicyProps.builder().priority(100).build());
 RemovalPolicies.of(stack).destroy(RemovalPolicyProps.builder().priority(200).build());
 

For RemovalPolicies, the policies are applied in order of aspect execution, with the last applied policy overriding previous ones. The priority only affects the order in which aspects are applied during synthesis.

Note

When using MissingRemovalPolicies with priority, a warning will be issued as this can lead to unexpected behavior. This is because MissingRemovalPolicies only applies to resources without existing policies, making priority less relevant.

Template Options & Transform

CloudFormation templates support a number of options, including which Macros or Transforms to use when deploying the stack. Those can be configured using the stack.templateOptions property:

 Stack stack = new Stack(app, "StackName");
 
 stack.getTemplateOptions().getDescription() = "This will appear in the AWS console";
 stack.getTemplateOptions().getTransforms() = List.of("AWS::Serverless-2016-10-31");
 stack.getTemplateOptions().getMetadata() = Map.of(
         "metadataKey", "MetadataValue");
 

Emitting Raw Resources

The CfnResource class allows emitting arbitrary entries in the Resources section of the CloudFormation template.

 CfnResource.Builder.create(this, "ResourceId")
         .type("AWS::S3::Bucket")
         .properties(Map.of(
                 "BucketName", "amzn-s3-demo-bucket"))
         .build();
 

As for any other resource, the logical ID in the CloudFormation template will be generated by the AWS CDK, but the type and properties will be copied verbatim in the synthesized template.

Including raw CloudFormation template fragments

When migrating a CloudFormation stack to the AWS CDK, it can be useful to include fragments of an existing template verbatim in the synthesized template. This can be achieved using the CfnInclude class.

 new CfnInclude(this, "ID", new CfnIncludeProps()
         .template(Map.of(
                 "Resources", Map.of(
                         "Bucket", Map.of(
                                 "Type", "AWS::S3::Bucket",
                                 "Properties", Map.of(
                                         "BucketName", "amzn-s3-demo-bucket")))))
         );
 

Termination Protection

You can prevent a stack from being accidentally deleted by enabling termination protection on the stack. If a user attempts to delete a stack with termination protection enabled, the deletion fails and the stack--including its status--remains unchanged. Enabling or disabling termination protection on a stack sets it for any nested stacks belonging to that stack as well. You can enable termination protection on a stack by setting the terminationProtection prop to true.

 Stack stack = Stack.Builder.create(app, "StackName")
         .terminationProtection(true)
         .build();
 

You can also set termination protection with the setter after you've instantiated the stack.

 Stack stack = Stack.Builder.create(app, "StackName").build();
 stack.getTerminationProtection() = true;
 

By default, termination protection is disabled.

Description

You can add a description of the stack in the same way as StackProps.

 Stack stack = Stack.Builder.create(app, "StackName")
         .description("This is a description.")
         .build();
 

Receiving CloudFormation Stack Events

You can add one or more SNS Topic ARNs to any Stack:

 Stack stack = Stack.Builder.create(app, "StackName")
         .notificationArns(List.of("arn:aws:sns:us-east-1:123456789012:Topic"))
         .build();
 

Stack events will be sent to any SNS Topics in this list. These ARNs are added to those specified using the --notification-arns command line option.

Note that in order to do delete notification ARNs entirely, you must pass an empty array ([]) instead of omitting it. If you omit the property, no action on existing ARNs will take place.

[!NOTE] Adding the notificationArns property (or using the --notification-arns CLI options) will override any existing ARNs configured on the stack. If you have an external system managing notification ARNs, either migrate to use this mechanism, or avoid specfying notification ARNs with the CDK.

CfnJson

CfnJson allows you to postpone the resolution of a JSON blob from deployment-time. This is useful in cases where the CloudFormation JSON template cannot express a certain value.

A common example is to use CfnJson in order to render a JSON map which needs to use intrinsic functions in keys. Since JSON map keys must be strings, it is impossible to use intrinsics in keys and CfnJson can help.

The following example defines an IAM role which can only be assumed by principals that are tagged with a specific tag.

 CfnParameter tagParam = new CfnParameter(this, "TagName");
 
 CfnJson stringEquals = CfnJson.Builder.create(this, "ConditionJson")
         .value(Map.of(
                 String.format("aws:PrincipalTag/%s", tagParam.getValueAsString()), true))
         .build();
 
 PrincipalBase principal = new AccountRootPrincipal().withConditions(Map.of(
         "StringEquals", stringEquals));
 
 Role.Builder.create(this, "MyRole").assumedBy(principal).build();
 

Explanation: since in this example we pass the tag name through a parameter, it can only be resolved during deployment. The resolved value can be represented in the template through a { "Ref": "TagName" }. However, since we want to use this value inside a aws:PrincipalTag/TAG-NAME IAM operator, we need it in the key of a StringEquals condition. JSON keys must be strings, so to circumvent this limitation, we use CfnJson to "delay" the rendition of this template section to deploy-time. This means that the value of StringEquals in the template will be { "Fn::GetAtt": [ "ConditionJson", "Value" ] }, and will only "expand" to the operator we synthesized during deployment.

Stack Resource Limit

When deploying to AWS CloudFormation, it needs to keep in check the amount of resources being added inside a Stack. Currently it's possible to check the limits in the AWS CloudFormation quotas page.

It's possible to synthesize the project with more Resources than the allowed (or even reduce the number of Resources).

Set the context key @aws-cdk/core:stackResourceLimit with the proper value, being 0 for disable the limit of resources.

Template Indentation

The AWS CloudFormation templates generated by CDK include indentation by default. Indentation makes the templates more readable, but also increases their size, and CloudFormation templates cannot exceed 1MB.

It's possible to reduce the size of your templates by suppressing indentation.

To do this for all templates, set the context key @aws-cdk/core:suppressTemplateIndentation to true.

To do this for a specific stack, add a suppressTemplateIndentation: true property to the stack's StackProps parameter. You can also set this property to false to override the context key setting.

App Context

Context values are key-value pairs that can be associated with an app, stack, or construct. One common use case for context is to use it for enabling/disabling feature flags. There are several places where context can be specified. They are listed below in the order they are evaluated (items at the top take precedence over those below).

• The node.setContext() method
• The postCliContext prop when you create an App
• The CLI via the --context CLI argument
• The cdk.json file via the context key:
• The cdk.context.json file:
• The ~/.cdk.json file via the context key:
• The context prop when you create an App

Examples of setting context

 App.Builder.create()
         .context(Map.of(
                 "@aws-cdk/core:newStyleStackSynthesis", true))
         .build();
 

 App app = new App();
 app.node.setContext("@aws-cdk/core:newStyleStackSynthesis", true);
 

 App.Builder.create()
         .postCliContext(Map.of(
                 "@aws-cdk/core:newStyleStackSynthesis", true))
         .build();
 

 cdk synth --context @aws-cdk/core:newStyleStackSynthesis=true
 

cdk.json

 {
   "context": {
     "@aws-cdk/core:newStyleStackSynthesis": true
   }
 }
 

cdk.context.json

 {
   "@aws-cdk/core:newStyleStackSynthesis": true
 }
 

~/.cdk.json

 {
   "context": {
     "@aws-cdk/core:newStyleStackSynthesis": true
   }
 }
 

IAM Permissions Boundary

It is possible to apply an IAM permissions boundary to all roles within a specific construct scope. The most common use case would be to apply a permissions boundary at the Stage level.

 Stage prodStage = Stage.Builder.create(app, "ProdStage")
         .permissionsBoundary(PermissionsBoundary.fromName("cdk-${Qualifier}-PermissionsBoundary"))
         .build();
 

Any IAM Roles or Users created within this Stage will have the default permissions boundary attached.

For more details see the Permissions Boundary section in the IAM guide.

Policy Validation

If you or your organization use (or would like to use) any policy validation tool, such as CloudFormation Guard or OPA, to define constraints on your CloudFormation template, you can incorporate them into the CDK application. By using the appropriate plugin, you can make the CDK application check the generated CloudFormation templates against your policies immediately after synthesis. If there are any violations, the synthesis will fail and a report will be printed to the console or to a file (see below).

[!NOTE] This feature is considered experimental, and both the plugin API and the format of the validation report are subject to change in the future.

For application developers

To use one or more validation plugins in your application, use the policyValidationBeta1 property of Stage:

 // globally for the entire app (an app is a stage)
 App app = App.Builder.create()
         .policyValidationBeta1(List.of(
             // These hypothetical classes implement IPolicyValidationPluginBeta1:
             new ThirdPartyPluginX(),
             new ThirdPartyPluginY()))
         .build();
 
 // only apply to a particular stage
 Stage prodStage = Stage.Builder.create(app, "ProdStage")
         .policyValidationBeta1(List.of(
             new ThirdPartyPluginX()))
         .build();
 

Immediately after synthesis, all plugins registered this way will be invoked to validate all the templates generated in the scope you defined. In particular, if you register the templates in the App object, all templates will be subject to validation.

Warning Other than modifying the cloud assembly, plugins can do anything that your CDK application can. They can read data from the filesystem, access the network etc. It's your responsibility as the consumer of a plugin to verify that it is secure to use.

By default, the report will be printed in a human-readable format. If you want a report in JSON format, enable it using the @aws-cdk/core:validationReportJson context passing it directly to the application:

 App app = App.Builder.create()
         .context(Map.of("@aws-cdk/core:validationReportJson", true))
         .build();
 

Alternatively, you can set this context key-value pair using the cdk.json or cdk.context.json files in your project directory (see Runtime context).

It is also possible to enable both JSON and human-readable formats by setting @aws-cdk/core:validationReportPrettyPrint context key explicitly:

 App app = App.Builder.create()
         .context(Map.of(
                 "@aws-cdk/core:validationReportJson", true,
                 "@aws-cdk/core:validationReportPrettyPrint", true))
         .build();
 

If you choose the JSON format, the CDK will print the policy validation report to a file called policy-validation-report.json in the cloud assembly directory. For the default, human-readable format, the report will be printed to the standard output.

For plugin authors

The communication protocol between the CDK core module and your policy tool is defined by the IPolicyValidationPluginBeta1 interface. To create a new plugin you must write a class that implements this interface. There are two things you need to implement: the plugin name (by overriding the name property), and the validate() method.

The framework will call validate(), passing an IPolicyValidationContextBeta1 object. The location of the templates to be validated is given by templatePaths. The plugin should return an instance of PolicyValidationPluginReportBeta1. This object represents the report that the user wil receive at the end of the synthesis.

 public class MyPlugin implements IPolicyValidationPluginBeta1 {
     public final Object name;
 
     public PolicyValidationPluginReportBeta1 validate(IPolicyValidationContextBeta1 context) {
         // First read the templates using context.templatePaths...
 
         // ...then perform the validation, and then compose and return the report.
         // Using hard-coded values here for better clarity:
         return PolicyValidationPluginReportBeta1.builder()
                 .success(false)
                 .violations(List.of(PolicyViolationBeta1.builder()
                         .ruleName("CKV_AWS_117")
                         .description("Ensure that AWS Lambda function is configured inside a VPC")
                         .fix("https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1")
                         .violatingResources(List.of(PolicyViolatingResourceBeta1.builder()
                                 .resourceLogicalId("MyFunction3BAA72D1")
                                 .templatePath("/home/johndoe/myapp/cdk.out/MyService.template.json")
                                 .locations(List.of("Properties/VpcConfig"))
                                 .build()))
                         .build()))
                 .build();
     }
 }
 

In addition to the name, plugins may optionally report their version (version property ) and a list of IDs of the rules they are going to evaluate (ruleIds property).

Note that plugins are not allowed to modify anything in the cloud assembly. Any attempt to do so will result in synthesis failure.

If your plugin depends on an external tool, keep in mind that some developers may not have that tool installed in their workstations yet. To minimize friction, we highly recommend that you provide some installation script along with your plugin package, to automate the whole process. Better yet, run that script as part of the installation of your package. With npm, for example, you can run add it to the postinstall script in the package.json file.

Annotations

Construct authors can add annotations to constructs to report at three different levels: ERROR, WARN, INFO.

Typically warnings are added for things that are important for the user to be aware of, but will not cause deployment errors in all cases. Some common scenarios are (non-exhaustive list):

• Warn when the user needs to take a manual action, e.g. IAM policy should be added to an referenced resource.
• Warn if the user configuration might not follow best practices (but is still valid)
• Warn if the user is using a deprecated API

Acknowledging Warnings

If you would like to run with --strict mode enabled (warnings will throw errors) it is possible to acknowledge warnings to make the warning go away.

For example, if > 10 IAM managed policies are added to an IAM Group, a warning will be created:

 IAM:Group:MaxPoliciesExceeded: You added 11 to IAM Group my-group. The maximum number of managed policies attached to an IAM group is 10.
 

If you have requested a quota increase you may have the ability to add > 10 managed policies which means that this warning does not apply to you. You can acknowledge this by acknowledging the warning by the id.

 Annotations.of(this).acknowledgeWarning("IAM:Group:MaxPoliciesExceeded", "Account has quota increased to 20");
 

Acknowledging Infos

Informational messages can also be emitted and acknowledged. Use addInfoV2() to add an info message that can later be suppressed with acknowledgeInfo(). Unlike warnings, info messages are not affected by the --strict mode and will never cause synthesis to fail.

 Annotations.of(this).addInfoV2("my-lib:Construct.someInfo", "Some message explaining the info");
 Annotations.of(this).acknowledgeInfo("my-lib:Construct.someInfo", "This info can be ignored");
 

Aspects

Aspects is a feature in CDK that allows you to apply operations or transformations across all constructs in a construct tree. Common use cases include tagging resources, enforcing encryption on S3 Buckets, or applying specific security or compliance rules to all resources in a stack.

Conceptually, there are two types of Aspects:

• Read-only aspects scan the construct tree but do not make changes to the tree. Common use cases of read-only aspects include performing validations (for example, enforcing that all S3 Buckets have versioning enabled) and logging (for example, collecting information about all deployed resources for audits or compliance).
• Mutating aspects either (1.) add new nodes or (2.) mutate existing nodes of the tree in-place. One commonly used mutating Aspect is adding Tags to resources. An example of an Aspect that adds a node is one that automatically adds a security group to every EC2 instance in the construct tree if no default is specified.

Here is a simple example of creating and applying an Aspect on a Stack to enable versioning on all S3 Buckets:

 public class EnableBucketVersioning implements IAspect {
     public void visit(IConstruct node) {
         if (node instanceof CfnBucket) {
             node.getVersioningConfiguration() = VersioningConfigurationProperty.builder()
                     .status("Enabled")
                     .build();
         }
     }
 }
 
 App app = new App();
 MyStack stack = new MyStack(app, "MyStack");
 
 // Apply the aspect to enable versioning on all S3 Buckets
 Aspects.of(stack).add(new EnableBucketVersioning());
 

Aspect Stabilization

The modern behavior is that Aspects automatically run on newly added nodes to the construct tree. This is controlled by the flag @aws-cdk/core:aspectStabilization, which is default for new projects (since version 2.172.0).

The old behavior of Aspects (without stabilization) was that Aspect invocation runs once on the entire construct tree. This meant that nested Aspects (Aspects that create new Aspects) are not invoked and nodes created by Aspects at a higher level of the construct tree are not visited.

To enable the stabilization behavior for older versions, use this feature by putting the following into your cdk.context.json:

 {
   "@aws-cdk/core:aspectStabilization": true
 }
 

Aspect Priorities

Users can specify the order in which Aspects are applied on a construct by using the optional priority parameter when applying an Aspect. Priority values must be non-negative integers, where a higher number means the Aspect will be applied later, and a lower number means it will be applied sooner.

By default, newly created nodes always inherit aspects. Priorities are mainly for ordering between mutating aspects on the construct tree.

CDK provides standard priority values for mutating and readonly aspects to help ensure consistency across different construct libraries. Note that Aspects that have same priority value are not guaranteed to be executed in a consistent order.

 /**
  * Default Priority values for Aspects.
  */
 public class AspectPriority {
     /**
        * Suggested priority for Aspects that mutate the construct tree.
        */
     public final Number MUTATING;
 
     /**
        * Suggested priority for Aspects that only read the construct tree.
        */
     public final Number READONLY;
 
     /**
        * Default priority for Aspects that are applied without a priority.
        */
     public final Number DEFAULT;
 }
 

If no priority is provided, the default value will be 500. This ensures that aspects without a specified priority run after mutating aspects but before any readonly aspects.

Correctly applying Aspects with priority values ensures that mutating aspects (such as adding tags or resources) run before validation aspects. This allows users to avoid misconfigurations and ensure that the final construct tree is fully validated before being synthesized.

Applying Aspects with Priority

 public class MutatingAspect implements IAspect {
     public void visit(IConstruct node) {
     }
 }
 
 public class ValidationAspect implements IAspect {
     public void visit(IConstruct node) {
     }
 }
 
 Stack stack = new Stack();
 
 Aspects.of(stack).add(new MutatingAspect(), AspectOptions.builder().priority(AspectPriority.MUTATING).build()); // Run first (mutating aspects)
 Aspects.of(stack).add(new ValidationAspect(), AspectOptions.builder().priority(AspectPriority.READONLY).build());
 

Inspecting applied aspects and changing priorities

We also give customers the ability to view all of their applied aspects and override the priority on these aspects. The AspectApplication class represents an Aspect that is applied to a node of the construct tree with a priority.

Users can access AspectApplications on a node by calling applied from the Aspects class as follows:

 Construct root;
 
 App app = new App();
 MyStack stack = new MyStack(app, "MyStack");
 
 Aspects.of(stack).add(new MyAspect());
 
 AspectApplication[] aspectApplications = Aspects.of(root).getApplied();
 
 for (Object aspectApplication : aspectApplications) {
     // The aspect we are applying
     System.out.println(aspectApplication.getAspect());
     // The construct we are applying the aspect to
     System.out.println(aspectApplication.getConstruct());
     // The priority it was applied with
     System.out.println(aspectApplication.getPriority());
 
     // Change the priority
     aspectApplication.getPriority() = 700;
 }
 

Blueprint Property Injection

The goal of Blueprint Property Injection is to provide builders an automatic way to set default property values.

Construct authors can declare that a Construct can have it properties injected by adding @propertyInjectable class decorator and specifying PROPERTY_INJECTION_ID readonly property. All L2 Constructs will support Property Injection so organizations can write injectors to set their Construct Props.

Organizations can set default property values to a Construct by writing Injectors for builders to consume.

Here is a simple example of an Injector for APiKey that sets enabled to false.

 public class ApiKeyPropsInjector implements IPropertyInjector {
     public final String constructUniqueId;
 
     public ApiKeyPropsInjector() {
         this.constructUniqueId = ApiKey.PROPERTY_INJECTION_ID;
     }
 
     public ApiKeyProps inject(ApiKeyProps originalProps, InjectionContext context) {
         return ApiKeyProps.builder()
                 .enabled(false)
                 .apiKeyName(originalProps.getApiKeyName())
                 .customerId(originalProps.getCustomerId())
                 .defaultCorsPreflightOptions(originalProps.getDefaultCorsPreflightOptions())
                 .defaultIntegration(originalProps.getDefaultIntegration())
                 .defaultMethodOptions(originalProps.getDefaultMethodOptions())
                 .description(originalProps.getDescription())
                 .generateDistinctId(originalProps.getGenerateDistinctId())
                 .resources(originalProps.getResources())
                 .stages(originalProps.getStages())
                 .value(originalProps.getValue())
                 .build();
     }
 }
 

Some notes:

• ApiKey must have a PROPERTY_INJECTION_ID property, in addition to having @propertyInjectable class decorator.
• We set ApiKeyProps.enabled to false, if it is not provided; otherwise it would use the value that was passed in.
• It is also possible to force ApiKeyProps.enabled to false, and not provide a way for the builders to overwrite it.

Here is an example of how builders can use the injector the org created.

 Stack stack = Stack.Builder.create(app, "my-stack")
         .propertyInjectors(List.of(new ApiKeyPropsInjector()))
         .build();
 ApiKey.Builder.create(stack, "my-api-key").build();
 

This is equivalent to:

 Stack stack = Stack.Builder.create(app, "my-stack").build();
 ApiKey.Builder.create(stack, "my-api-key")
         .enabled(false)
         .build();
 

Some notes:

• We attach the injectors to Stack in this example, but we can also attach them to App or Stage.
• All the ApiKey created in the scope of stack will get enabled: false.
• Builders can overwrite the default value with new ApiKey(stack, 'my-api-key', {enabled: true});

If you specify two or more injectors for the same Constructs, the last one is in effect. In the example below, ApiKeyPropsInjector will never be applied.

 Stack stack = Stack.Builder.create(app, "my-stack")
         .propertyInjectors(List.of(
             new ApiKeyPropsInjector(),
             new AnotherApiKeyPropsInjector()))
         .build();
 

For more information, please see the RFC.

Related Packages

Package	Description
software.amazon.awscdk.assertions	Assertions
software.amazon.awscdk.aws_apigatewayv2_authorizers	AWS APIGatewayv2 Authorizers
software.amazon.awscdk.aws_apigatewayv2_integrations	AWS APIGatewayv2 Integrations
software.amazon.awscdk.cloud_assembly_schema	Cloud Assembly Schema
software.amazon.awscdk.customresources	AWS CDK Custom Resources
software.amazon.awscdk.cxapi	Cloud Executable API
software.amazon.awscdk.interfaces	CDK Resource Interfaces
software.amazon.awscdk.pipelines	CDK Pipelines
software.amazon.awscdk.regioninfo	AWS Region-Specific Information Directory
software.amazon.awscdk.triggers	Triggers

Class	Description
$Module
AddDockerImageAssetOptions	Options for the addDockerImageAsset operation.
AddDockerImageAssetOptions.Builder	A builder for AddDockerImageAssetOptions
AddDockerImageAssetOptions.Jsii$Proxy	An implementation for AddDockerImageAssetOptions
AddFileAssetOptions	Options for the addFileAsset operation.
AddFileAssetOptions.Builder	A builder for AddFileAssetOptions
AddFileAssetOptions.Jsii$Proxy	An implementation for AddFileAssetOptions
Annotations	Includes API for attaching annotations such as warning messages to constructs.
App	A construct which represents an entire CDK app.
App.Builder	A fluent builder for App.
AppProps	Initialization props for apps.
AppProps.Builder	A builder for AppProps
AppProps.Jsii$Proxy	An implementation for AppProps
Arn
ArnComponents	Example:
ArnComponents.Builder	A builder for ArnComponents
ArnComponents.Jsii$Proxy	An implementation for ArnComponents
ArnFormat	An enum representing the various ARN formats that different services use.
AspectApplication	Object respresenting an Aspect application.
AspectOptions	Options when Applying an Aspect.
AspectOptions.Builder	A builder for AspectOptions
AspectOptions.Jsii$Proxy	An implementation for AspectOptions
AspectPriority	Default Priority values for Aspects.
Aspects	Aspects can be applied to CDK tree scopes and can operate on the tree before synthesis.
AssetHashType	The type of asset hash.
AssetManifestBuilder	Build an asset manifest from assets added to a stack.
AssetManifestDockerImageDestination	The destination for a docker image asset, when it is given to the AssetManifestBuilder.
AssetManifestDockerImageDestination.Builder	A builder for AssetManifestDockerImageDestination
AssetManifestDockerImageDestination.Jsii$Proxy	An implementation for AssetManifestDockerImageDestination
AssetManifestFileDestination	The destination for a file asset, when it is given to the AssetManifestBuilder.
AssetManifestFileDestination.Builder	A builder for AssetManifestFileDestination
AssetManifestFileDestination.Jsii$Proxy	An implementation for AssetManifestFileDestination
AssetOptions	Asset hash options.
AssetOptions.Builder	A builder for AssetOptions
AssetOptions.Jsii$Proxy	An implementation for AssetOptions
AssetStaging	Stages a file or directory from a location on the file system into a staging directory.
AssetStaging.Builder	A fluent builder for AssetStaging.
AssetStagingProps	Initialization properties for AssetStaging.
AssetStagingProps.Builder	A builder for AssetStagingProps
AssetStagingProps.Jsii$Proxy	An implementation for AssetStagingProps
Aws	Accessor for pseudo parameters.
BootstraplessSynthesizer	Synthesizer that reuses bootstrap roles from a different region.
BootstraplessSynthesizer.Builder	A fluent builder for BootstraplessSynthesizer.
BootstraplessSynthesizerProps	Construction properties of BootstraplessSynthesizer.
BootstraplessSynthesizerProps.Builder	A builder for BootstraplessSynthesizerProps
BootstraplessSynthesizerProps.Jsii$Proxy	An implementation for BootstraplessSynthesizerProps
BundlingFileAccess	The access mechanism used to make source files available to the bundling container and to return the bundling output back to the host.
BundlingOptions	Bundling options.
BundlingOptions.Builder	A builder for BundlingOptions
BundlingOptions.Jsii$Proxy	An implementation for BundlingOptions
BundlingOutput	The type of output that a bundling operation is producing.
CfnAutoScalingReplacingUpdate	Specifies whether an Auto Scaling group and the instances it contains are replaced during an update.
CfnAutoScalingReplacingUpdate.Builder	A builder for CfnAutoScalingReplacingUpdate
CfnAutoScalingReplacingUpdate.Jsii$Proxy	An implementation for CfnAutoScalingReplacingUpdate
CfnAutoScalingRollingUpdate	To specify how AWS CloudFormation handles rolling updates for an Auto Scaling group, use the AutoScalingRollingUpdate policy.
CfnAutoScalingRollingUpdate.Builder	A builder for CfnAutoScalingRollingUpdate
CfnAutoScalingRollingUpdate.Jsii$Proxy	An implementation for CfnAutoScalingRollingUpdate
CfnAutoScalingScheduledAction	With scheduled actions, the group size properties of an Auto Scaling group can change at any time.
CfnAutoScalingScheduledAction.Builder	A builder for CfnAutoScalingScheduledAction
CfnAutoScalingScheduledAction.Jsii$Proxy	An implementation for CfnAutoScalingScheduledAction
CfnCapabilities	Capabilities that affect whether CloudFormation is allowed to change IAM resources.
CfnCodeDeployBlueGreenAdditionalOptions	Additional options for the blue/green deployment.
CfnCodeDeployBlueGreenAdditionalOptions.Builder	A builder for CfnCodeDeployBlueGreenAdditionalOptions
CfnCodeDeployBlueGreenAdditionalOptions.Jsii$Proxy	An implementation for CfnCodeDeployBlueGreenAdditionalOptions
CfnCodeDeployBlueGreenApplication	The application actually being deployed.
CfnCodeDeployBlueGreenApplication.Builder	A builder for CfnCodeDeployBlueGreenApplication
CfnCodeDeployBlueGreenApplication.Jsii$Proxy	An implementation for CfnCodeDeployBlueGreenApplication
CfnCodeDeployBlueGreenApplicationTarget	Type of the CfnCodeDeployBlueGreenApplication.target property.
CfnCodeDeployBlueGreenApplicationTarget.Builder	A builder for CfnCodeDeployBlueGreenApplicationTarget
CfnCodeDeployBlueGreenApplicationTarget.Jsii$Proxy	An implementation for CfnCodeDeployBlueGreenApplicationTarget
CfnCodeDeployBlueGreenEcsAttributes	The attributes of the ECS Service being deployed.
CfnCodeDeployBlueGreenEcsAttributes.Builder	A builder for CfnCodeDeployBlueGreenEcsAttributes
CfnCodeDeployBlueGreenEcsAttributes.Jsii$Proxy	An implementation for CfnCodeDeployBlueGreenEcsAttributes
CfnCodeDeployBlueGreenHook	A CloudFormation Hook for CodeDeploy blue-green ECS deployments.
CfnCodeDeployBlueGreenHook.Builder	A fluent builder for CfnCodeDeployBlueGreenHook.
CfnCodeDeployBlueGreenHookProps	Construction properties of CfnCodeDeployBlueGreenHook.
CfnCodeDeployBlueGreenHookProps.Builder	A builder for CfnCodeDeployBlueGreenHookProps
CfnCodeDeployBlueGreenHookProps.Jsii$Proxy	An implementation for CfnCodeDeployBlueGreenHookProps
CfnCodeDeployBlueGreenLifecycleEventHooks	Lifecycle events for blue-green deployments.
CfnCodeDeployBlueGreenLifecycleEventHooks.Builder	A builder for CfnCodeDeployBlueGreenLifecycleEventHooks
CfnCodeDeployBlueGreenLifecycleEventHooks.Jsii$Proxy	An implementation for CfnCodeDeployBlueGreenLifecycleEventHooks
CfnCodeDeployLambdaAliasUpdate	To perform an AWS CodeDeploy deployment when the version changes on an AWS::Lambda::Alias resource, use the CodeDeployLambdaAliasUpdate update policy.
CfnCodeDeployLambdaAliasUpdate.Builder	A builder for CfnCodeDeployLambdaAliasUpdate
CfnCodeDeployLambdaAliasUpdate.Jsii$Proxy	An implementation for CfnCodeDeployLambdaAliasUpdate
CfnCondition	Represents a CloudFormation condition, for resources which must be conditionally created and the determination must be made at deploy time.
CfnCondition.Builder	A fluent builder for CfnCondition.
CfnConditionProps	Example:
CfnConditionProps.Builder	A builder for CfnConditionProps
CfnConditionProps.Jsii$Proxy	An implementation for CfnConditionProps
CfnCreationPolicy	Associate the CreationPolicy attribute with a resource to prevent its status from reaching create complete until AWS CloudFormation receives a specified number of success signals or the timeout period is exceeded.
CfnCreationPolicy.Builder	A builder for CfnCreationPolicy
CfnCreationPolicy.Jsii$Proxy	An implementation for CfnCreationPolicy
CfnCustomResource	The AWS::CloudFormation::CustomResource resource creates a custom resource.
CfnCustomResource.Builder	A fluent builder for CfnCustomResource.
CfnCustomResourceProps	Properties for defining a CfnCustomResource.
CfnCustomResourceProps.Builder	A builder for CfnCustomResourceProps
CfnCustomResourceProps.Jsii$Proxy	An implementation for CfnCustomResourceProps
CfnDeletionPolicy	With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when its stack is deleted.
CfnDynamicReference	References a dynamically retrieved value.
CfnDynamicReferenceProps	Properties for a Dynamic Reference.
CfnDynamicReferenceProps.Builder	A builder for CfnDynamicReferenceProps
CfnDynamicReferenceProps.Jsii$Proxy	An implementation for CfnDynamicReferenceProps
CfnDynamicReferenceService	The service to retrieve the dynamic reference from.
CfnElement	An element of a CloudFormation stack.
CfnGuardHook	The AWS::CloudFormation::GuardHook resource creates and activates a Guard Hook.
CfnGuardHook.Builder	A fluent builder for CfnGuardHook.
CfnGuardHook.HookTargetProperty	Hook targets are the destination where hooks will be invoked against.
CfnGuardHook.HookTargetProperty.Builder	A builder for CfnGuardHook.HookTargetProperty
CfnGuardHook.HookTargetProperty.Jsii$Proxy	An implementation for CfnGuardHook.HookTargetProperty
CfnGuardHook.OptionsProperty	Specifies the input parameters for a Guard Hook.
CfnGuardHook.OptionsProperty.Builder	A builder for CfnGuardHook.OptionsProperty
CfnGuardHook.OptionsProperty.Jsii$Proxy	An implementation for CfnGuardHook.OptionsProperty
CfnGuardHook.S3LocationProperty	Specifies the S3 location where your Guard rules or input parameters are located.
CfnGuardHook.S3LocationProperty.Builder	A builder for CfnGuardHook.S3LocationProperty
CfnGuardHook.S3LocationProperty.Jsii$Proxy	An implementation for CfnGuardHook.S3LocationProperty
CfnGuardHook.StackFiltersProperty	The StackFilters property type specifies stack level filters for a Hook.
CfnGuardHook.StackFiltersProperty.Builder	A builder for CfnGuardHook.StackFiltersProperty
CfnGuardHook.StackFiltersProperty.Jsii$Proxy	An implementation for CfnGuardHook.StackFiltersProperty
CfnGuardHook.StackNamesProperty	Specifies the stack names for the StackFilters property type to include or exclude specific stacks from Hook invocations.
CfnGuardHook.StackNamesProperty.Builder	A builder for CfnGuardHook.StackNamesProperty
CfnGuardHook.StackNamesProperty.Jsii$Proxy	An implementation for CfnGuardHook.StackNamesProperty
CfnGuardHook.StackRolesProperty	Specifies the stack roles for the StackFilters property type to include or exclude specific stacks from Hook invocations based on their associated IAM roles.
CfnGuardHook.StackRolesProperty.Builder	A builder for CfnGuardHook.StackRolesProperty
CfnGuardHook.StackRolesProperty.Jsii$Proxy	An implementation for CfnGuardHook.StackRolesProperty
CfnGuardHook.TargetFiltersProperty	The TargetFilters property type specifies the target filters for the Hook.
CfnGuardHook.TargetFiltersProperty.Builder	A builder for CfnGuardHook.TargetFiltersProperty
CfnGuardHook.TargetFiltersProperty.Jsii$Proxy	An implementation for CfnGuardHook.TargetFiltersProperty
CfnGuardHookProps	Properties for defining a CfnGuardHook.
CfnGuardHookProps.Builder	A builder for CfnGuardHookProps
CfnGuardHookProps.Jsii$Proxy	An implementation for CfnGuardHookProps
CfnHook	Represents a CloudFormation resource.
CfnHook.Builder	A fluent builder for CfnHook.
CfnHookDefaultVersion	The AWS::CloudFormation::HookDefaultVersion resource specifies the default version of a Hook.
CfnHookDefaultVersion.Builder	A fluent builder for CfnHookDefaultVersion.
CfnHookDefaultVersionProps	Properties for defining a CfnHookDefaultVersion.
CfnHookDefaultVersionProps.Builder	A builder for CfnHookDefaultVersionProps
CfnHookDefaultVersionProps.Jsii$Proxy	An implementation for CfnHookDefaultVersionProps
CfnHookProps	Construction properties of CfnHook.
CfnHookProps.Builder	A builder for CfnHookProps
CfnHookProps.Jsii$Proxy	An implementation for CfnHookProps
CfnHookTypeConfig	The AWS::CloudFormation::HookTypeConfig resource specifies the configuration of an activated Hook.
CfnHookTypeConfig.Builder	A fluent builder for CfnHookTypeConfig.
CfnHookTypeConfigProps	Properties for defining a CfnHookTypeConfig.
CfnHookTypeConfigProps.Builder	A builder for CfnHookTypeConfigProps
CfnHookTypeConfigProps.Jsii$Proxy	An implementation for CfnHookTypeConfigProps
CfnHookVersion	The AWS::CloudFormation::HookVersion resource publishes new or first version of a Hook to the CloudFormation registry.
CfnHookVersion.Builder	A fluent builder for CfnHookVersion.
CfnHookVersion.LoggingConfigProperty	The LoggingConfig property type specifies logging configuration information for an extension.
CfnHookVersion.LoggingConfigProperty.Builder	A builder for CfnHookVersion.LoggingConfigProperty
CfnHookVersion.LoggingConfigProperty.Jsii$Proxy	An implementation for CfnHookVersion.LoggingConfigProperty
CfnHookVersionProps	Properties for defining a CfnHookVersion.
CfnHookVersionProps.Builder	A builder for CfnHookVersionProps
CfnHookVersionProps.Jsii$Proxy	An implementation for CfnHookVersionProps
CfnJson	Captures a synthesis-time JSON object a CloudFormation reference which resolves during deployment to the resolved values of the JSON object.
CfnJson.Builder	A fluent builder for CfnJson.
CfnJsonProps	Example:
CfnJsonProps.Builder	A builder for CfnJsonProps
CfnJsonProps.Jsii$Proxy	An implementation for CfnJsonProps
CfnLambdaHook	The AWS::CloudFormation::LambdaHook resource creates and activates a Lambda Hook.
CfnLambdaHook.Builder	A fluent builder for CfnLambdaHook.
CfnLambdaHook.HookTargetProperty	Hook targets are the destination where hooks will be invoked against.
CfnLambdaHook.HookTargetProperty.Builder	A builder for CfnLambdaHook.HookTargetProperty
CfnLambdaHook.HookTargetProperty.Jsii$Proxy	An implementation for CfnLambdaHook.HookTargetProperty
CfnLambdaHook.StackFiltersProperty	The StackFilters property type specifies stack level filters for a Hook.
CfnLambdaHook.StackFiltersProperty.Builder	A builder for CfnLambdaHook.StackFiltersProperty
CfnLambdaHook.StackFiltersProperty.Jsii$Proxy	An implementation for CfnLambdaHook.StackFiltersProperty
CfnLambdaHook.StackNamesProperty	Specifies the stack names for the StackFilters property type to include or exclude specific stacks from Hook invocations.
CfnLambdaHook.StackNamesProperty.Builder	A builder for CfnLambdaHook.StackNamesProperty
CfnLambdaHook.StackNamesProperty.Jsii$Proxy	An implementation for CfnLambdaHook.StackNamesProperty
CfnLambdaHook.StackRolesProperty	Specifies the stack roles for the StackFilters property type to include or exclude specific stacks from Hook invocations based on their associated IAM roles.
CfnLambdaHook.StackRolesProperty.Builder	A builder for CfnLambdaHook.StackRolesProperty
CfnLambdaHook.StackRolesProperty.Jsii$Proxy	An implementation for CfnLambdaHook.StackRolesProperty
CfnLambdaHook.TargetFiltersProperty	The TargetFilters property type specifies the target filters for the Hook.
CfnLambdaHook.TargetFiltersProperty.Builder	A builder for CfnLambdaHook.TargetFiltersProperty
CfnLambdaHook.TargetFiltersProperty.Jsii$Proxy	An implementation for CfnLambdaHook.TargetFiltersProperty
CfnLambdaHookProps	Properties for defining a CfnLambdaHook.
CfnLambdaHookProps.Builder	A builder for CfnLambdaHookProps
CfnLambdaHookProps.Jsii$Proxy	An implementation for CfnLambdaHookProps
CfnMacro	The AWS::CloudFormation::Macro resource is a CloudFormation resource type that creates a CloudFormation macro to perform custom processing on CloudFormation templates.
CfnMacro.Builder	A fluent builder for CfnMacro.
CfnMacroProps	Properties for defining a CfnMacro.
CfnMacroProps.Builder	A builder for CfnMacroProps
CfnMacroProps.Jsii$Proxy	An implementation for CfnMacroProps
CfnMapping	Represents a CloudFormation mapping.
CfnMapping.Builder	A fluent builder for CfnMapping.
CfnMappingProps	Example:
CfnMappingProps.Builder	A builder for CfnMappingProps
CfnMappingProps.Jsii$Proxy	An implementation for CfnMappingProps
CfnModuleDefaultVersion	Specifies the default version of a module.
CfnModuleDefaultVersion.Builder	A fluent builder for CfnModuleDefaultVersion.
CfnModuleDefaultVersionProps	Properties for defining a CfnModuleDefaultVersion.
CfnModuleDefaultVersionProps.Builder	A builder for CfnModuleDefaultVersionProps
CfnModuleDefaultVersionProps.Jsii$Proxy	An implementation for CfnModuleDefaultVersionProps
CfnModuleVersion	The AWS::CloudFormation::ModuleVersion resource registers the specified version of the module with the CloudFormation registry.
CfnModuleVersion.Builder	A fluent builder for CfnModuleVersion.
CfnModuleVersionProps	Properties for defining a CfnModuleVersion.
CfnModuleVersionProps.Builder	A builder for CfnModuleVersionProps
CfnModuleVersionProps.Jsii$Proxy	An implementation for CfnModuleVersionProps
CfnOutput	Example:
CfnOutput.Builder	A fluent builder for CfnOutput.
CfnOutputProps	Example:
CfnOutputProps.Builder	A builder for CfnOutputProps
CfnOutputProps.Jsii$Proxy	An implementation for CfnOutputProps
CfnParameter	A CloudFormation parameter.
CfnParameter.Builder	A fluent builder for CfnParameter.
CfnParameterProps	Example:
CfnParameterProps.Builder	A builder for CfnParameterProps
CfnParameterProps.Jsii$Proxy	An implementation for CfnParameterProps
CfnPublicTypeVersion	The AWS::CloudFormation::PublicTypeVersion resource tests and publishes a registered extension as a public, third-party extension.
CfnPublicTypeVersion.Builder	A fluent builder for CfnPublicTypeVersion.
CfnPublicTypeVersionProps	Properties for defining a CfnPublicTypeVersion.
CfnPublicTypeVersionProps.Builder	A builder for CfnPublicTypeVersionProps
CfnPublicTypeVersionProps.Jsii$Proxy	An implementation for CfnPublicTypeVersionProps
CfnPublisher	The AWS::CloudFormation::Publisher resource registers your account as a publisher of public extensions in the CloudFormation registry.
CfnPublisher.Builder	A fluent builder for CfnPublisher.
CfnPublisherProps	Properties for defining a CfnPublisher.
CfnPublisherProps.Builder	A builder for CfnPublisherProps
CfnPublisherProps.Jsii$Proxy	An implementation for CfnPublisherProps
CfnRefElement	Base class for referencable CloudFormation constructs which are not Resources.
CfnResource	Represents a CloudFormation resource.
CfnResource.Builder	A fluent builder for CfnResource.
CfnResourceAutoScalingCreationPolicy	For an Auto Scaling group replacement update, specifies how many instances must signal success for the update to succeed.
CfnResourceAutoScalingCreationPolicy.Builder	A builder for CfnResourceAutoScalingCreationPolicy
CfnResourceAutoScalingCreationPolicy.Jsii$Proxy	An implementation for CfnResourceAutoScalingCreationPolicy
CfnResourceDefaultVersion	The AWS::CloudFormation::ResourceDefaultVersion resource specifies the default version of a resource.
CfnResourceDefaultVersion.Builder	A fluent builder for CfnResourceDefaultVersion.
CfnResourceDefaultVersionProps	Properties for defining a CfnResourceDefaultVersion.
CfnResourceDefaultVersionProps.Builder	A builder for CfnResourceDefaultVersionProps
CfnResourceDefaultVersionProps.Jsii$Proxy	An implementation for CfnResourceDefaultVersionProps
CfnResourceProps	Example:
CfnResourceProps.Builder	A builder for CfnResourceProps
CfnResourceProps.Jsii$Proxy	An implementation for CfnResourceProps
CfnResourceSignal	When AWS CloudFormation creates the associated resource, configures the number of required success signals and the length of time that AWS CloudFormation waits for those signals.
CfnResourceSignal.Builder	A builder for CfnResourceSignal
CfnResourceSignal.Jsii$Proxy	An implementation for CfnResourceSignal
CfnResourceVersion	The AWS::CloudFormation::ResourceVersion resource registers a resource version with the CloudFormation registry.
CfnResourceVersion.Builder	A fluent builder for CfnResourceVersion.
CfnResourceVersion.LoggingConfigProperty	Logging configuration information for a resource.
CfnResourceVersion.LoggingConfigProperty.Builder	A builder for CfnResourceVersion.LoggingConfigProperty
CfnResourceVersion.LoggingConfigProperty.Jsii$Proxy	An implementation for CfnResourceVersion.LoggingConfigProperty
CfnResourceVersionProps	Properties for defining a CfnResourceVersion.
CfnResourceVersionProps.Builder	A builder for CfnResourceVersionProps
CfnResourceVersionProps.Jsii$Proxy	An implementation for CfnResourceVersionProps
CfnRule	The Rules that define template constraints in an AWS Service Catalog portfolio describe when end users can use the template and which values they can specify for parameters that are declared in the AWS CloudFormation template used to create the product they are attempting to use.
CfnRule.Builder	A fluent builder for CfnRule.
CfnRuleAssertion	A rule assertion.
CfnRuleAssertion.Builder	A builder for CfnRuleAssertion
CfnRuleAssertion.Jsii$Proxy	An implementation for CfnRuleAssertion
CfnRuleProps	A rule can include a RuleCondition property and must include an Assertions property.
CfnRuleProps.Builder	A builder for CfnRuleProps
CfnRuleProps.Jsii$Proxy	An implementation for CfnRuleProps
CfnStack	The AWS::CloudFormation::Stack resource nests a stack as a resource in a top-level template.
CfnStack.Builder	A fluent builder for CfnStack.
CfnStack.OutputProperty	The Output data type.
CfnStack.OutputProperty.Builder	A builder for CfnStack.OutputProperty
CfnStack.OutputProperty.Jsii$Proxy	An implementation for CfnStack.OutputProperty
CfnStackProps	Properties for defining a CfnStack.
CfnStackProps.Builder	A builder for CfnStackProps
CfnStackProps.Jsii$Proxy	An implementation for CfnStackProps
CfnStackSet	The AWS::CloudFormation::StackSet resource contains information about a StackSet.
CfnStackSet.AutoDeploymentProperty	Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU).
CfnStackSet.AutoDeploymentProperty.Builder	A builder for CfnStackSet.AutoDeploymentProperty
CfnStackSet.AutoDeploymentProperty.Jsii$Proxy	An implementation for CfnStackSet.AutoDeploymentProperty
CfnStackSet.Builder	A fluent builder for CfnStackSet.
CfnStackSet.DeploymentTargetsProperty	The AWS Organizations accounts or AWS accounts to deploy stacks to in the specified Regions.
CfnStackSet.DeploymentTargetsProperty.Builder	A builder for CfnStackSet.DeploymentTargetsProperty
CfnStackSet.DeploymentTargetsProperty.Jsii$Proxy	An implementation for CfnStackSet.DeploymentTargetsProperty
CfnStackSet.ManagedExecutionProperty	Describes whether StackSets performs non-conflicting operations concurrently and queues conflicting operations.
CfnStackSet.ManagedExecutionProperty.Builder	A builder for CfnStackSet.ManagedExecutionProperty
CfnStackSet.ManagedExecutionProperty.Jsii$Proxy	An implementation for CfnStackSet.ManagedExecutionProperty
CfnStackSet.OperationPreferencesProperty	The user-specified preferences for how CloudFormation performs a StackSet operation.
CfnStackSet.OperationPreferencesProperty.Builder	A builder for CfnStackSet.OperationPreferencesProperty
CfnStackSet.OperationPreferencesProperty.Jsii$Proxy	An implementation for CfnStackSet.OperationPreferencesProperty
CfnStackSet.ParameterProperty	The Parameter data type.
CfnStackSet.ParameterProperty.Builder	A builder for CfnStackSet.ParameterProperty
CfnStackSet.ParameterProperty.Jsii$Proxy	An implementation for CfnStackSet.ParameterProperty
CfnStackSet.StackInstancesProperty	Stack instances in some specific accounts and Regions.
CfnStackSet.StackInstancesProperty.Builder	A builder for CfnStackSet.StackInstancesProperty
CfnStackSet.StackInstancesProperty.Jsii$Proxy	An implementation for CfnStackSet.StackInstancesProperty
CfnStackSetProps	Properties for defining a CfnStackSet.
CfnStackSetProps.Builder	A builder for CfnStackSetProps
CfnStackSetProps.Jsii$Proxy	An implementation for CfnStackSetProps
CfnTag	Example:
CfnTag.Builder	A builder for CfnTag
CfnTag.Jsii$Proxy	An implementation for CfnTag
CfnTrafficRoute	A traffic route, representing where the traffic is being directed to.
CfnTrafficRoute.Builder	A builder for CfnTrafficRoute
CfnTrafficRoute.Jsii$Proxy	An implementation for CfnTrafficRoute
CfnTrafficRouting	Type of the CfnCodeDeployBlueGreenEcsAttributes.trafficRouting property.
CfnTrafficRouting.Builder	A builder for CfnTrafficRouting
CfnTrafficRouting.Jsii$Proxy	An implementation for CfnTrafficRouting
CfnTrafficRoutingConfig	Traffic routing configuration settings.
CfnTrafficRoutingConfig.Builder	A builder for CfnTrafficRoutingConfig
CfnTrafficRoutingConfig.Jsii$Proxy	An implementation for CfnTrafficRoutingConfig
CfnTrafficRoutingTimeBasedCanary	The traffic routing configuration if CfnTrafficRoutingConfig.type is CfnTrafficRoutingType.TIME_BASED_CANARY.
CfnTrafficRoutingTimeBasedCanary.Builder	A builder for CfnTrafficRoutingTimeBasedCanary
CfnTrafficRoutingTimeBasedCanary.Jsii$Proxy	An implementation for CfnTrafficRoutingTimeBasedCanary
CfnTrafficRoutingTimeBasedLinear	The traffic routing configuration if CfnTrafficRoutingConfig.type is CfnTrafficRoutingType.TIME_BASED_LINEAR.
CfnTrafficRoutingTimeBasedLinear.Builder	A builder for CfnTrafficRoutingTimeBasedLinear
CfnTrafficRoutingTimeBasedLinear.Jsii$Proxy	An implementation for CfnTrafficRoutingTimeBasedLinear
CfnTrafficRoutingType	The possible types of traffic shifting for the blue-green deployment configuration.
CfnTypeActivation	The AWS::CloudFormation::TypeActivation resource activates a public third-party extension, making it available for use in stack templates.
CfnTypeActivation.Builder	A fluent builder for CfnTypeActivation.
CfnTypeActivation.LoggingConfigProperty	Contains logging configuration information for an extension.
CfnTypeActivation.LoggingConfigProperty.Builder	A builder for CfnTypeActivation.LoggingConfigProperty
CfnTypeActivation.LoggingConfigProperty.Jsii$Proxy	An implementation for CfnTypeActivation.LoggingConfigProperty
CfnTypeActivationProps	Properties for defining a CfnTypeActivation.
CfnTypeActivationProps.Builder	A builder for CfnTypeActivationProps
CfnTypeActivationProps.Jsii$Proxy	An implementation for CfnTypeActivationProps
CfnUpdatePolicy	Use the UpdatePolicy attribute to specify how AWS CloudFormation handles updates to the AWS::AutoScaling::AutoScalingGroup resource.
CfnUpdatePolicy.Builder	A builder for CfnUpdatePolicy
CfnUpdatePolicy.Jsii$Proxy	An implementation for CfnUpdatePolicy
CfnWaitCondition	The AWS::CloudFormation::WaitCondition resource provides a way to coordinate stack resource creation with configuration actions that are external to the stack creation or to track the status of a configuration process.
CfnWaitCondition.Builder	A fluent builder for CfnWaitCondition.
CfnWaitConditionHandle	The AWS::CloudFormation::WaitConditionHandle type has no properties.
CfnWaitConditionHandle.Builder	A fluent builder for CfnWaitConditionHandle.
CfnWaitConditionHandleProps	Properties for defining a CfnWaitConditionHandle.
CfnWaitConditionHandleProps.Builder	A builder for CfnWaitConditionHandleProps
CfnWaitConditionHandleProps.Jsii$Proxy	An implementation for CfnWaitConditionHandleProps
CfnWaitConditionProps	Properties for defining a CfnWaitCondition.
CfnWaitConditionProps.Builder	A builder for CfnWaitConditionProps
CfnWaitConditionProps.Jsii$Proxy	An implementation for CfnWaitConditionProps
CliCredentialsStackSynthesizer	A synthesizer that uses conventional asset locations, but not conventional deployment roles.
CliCredentialsStackSynthesizer.Builder	A fluent builder for CliCredentialsStackSynthesizer.
CliCredentialsStackSynthesizerProps	Properties for the CliCredentialsStackSynthesizer.
CliCredentialsStackSynthesizerProps.Builder	A builder for CliCredentialsStackSynthesizerProps
CliCredentialsStackSynthesizerProps.Jsii$Proxy	An implementation for CliCredentialsStackSynthesizerProps
ContextProvider	Base class for the model side of context providers.
CopyOptions	Options applied when copying directories.
CopyOptions.Builder	A builder for CopyOptions
CopyOptions.Jsii$Proxy	An implementation for CopyOptions
CustomResource	Instantiation of a custom resource, whose implementation is provided a Provider.
CustomResource.Builder	A fluent builder for CustomResource.
CustomResourceProps	Properties to provide a Lambda-backed custom resource.
CustomResourceProps.Builder	A builder for CustomResourceProps
CustomResourceProps.Jsii$Proxy	An implementation for CustomResourceProps
CustomResourceProvider	An AWS-Lambda backed custom resource provider, for CDK Construct Library constructs.
CustomResourceProviderBase	Base class for creating a custom resource provider.
CustomResourceProviderBaseProps	Initialization properties for CustomResourceProviderBase.
CustomResourceProviderBaseProps.Builder	A builder for CustomResourceProviderBaseProps
CustomResourceProviderBaseProps.Jsii$Proxy	An implementation for CustomResourceProviderBaseProps
CustomResourceProviderOptions	Initialization options for custom resource providers.
CustomResourceProviderOptions.Builder	A builder for CustomResourceProviderOptions
CustomResourceProviderOptions.Jsii$Proxy	An implementation for CustomResourceProviderOptions
CustomResourceProviderProps	Initialization properties for CustomResourceProvider.
CustomResourceProviderProps.Builder	A builder for CustomResourceProviderProps
CustomResourceProviderProps.Jsii$Proxy	An implementation for CustomResourceProviderProps
CustomResourceProviderRuntime	The lambda runtime to use for the resource provider.
DefaultStackSynthesizer	Uses conventionally named roles and asset storage locations.
DefaultStackSynthesizer.Builder	A fluent builder for DefaultStackSynthesizer.
DefaultStackSynthesizerProps	Configuration properties for DefaultStackSynthesizer.
DefaultStackSynthesizerProps.Builder	A builder for DefaultStackSynthesizerProps
DefaultStackSynthesizerProps.Jsii$Proxy	An implementation for DefaultStackSynthesizerProps
DefaultTokenResolver	Default resolver implementation.
DockerBuildOptions	Docker build options.
DockerBuildOptions.Builder	A builder for DockerBuildOptions
DockerBuildOptions.Jsii$Proxy	An implementation for DockerBuildOptions
DockerBuildSecret	Methods to build Docker CLI arguments for builds using secrets.
DockerCacheOption	Options for configuring the Docker cache backend.
DockerCacheOption.Builder	A builder for DockerCacheOption
DockerCacheOption.Jsii$Proxy	An implementation for DockerCacheOption
DockerIgnoreStrategy	Ignores file paths based on the .dockerignore specification.
DockerImage	A Docker image.
DockerImageAssetLocation	The location of the published docker image.
DockerImageAssetLocation.Builder	A builder for DockerImageAssetLocation
DockerImageAssetLocation.Jsii$Proxy	An implementation for DockerImageAssetLocation
DockerImageAssetSource	Example:
DockerImageAssetSource.Builder	A builder for DockerImageAssetSource
DockerImageAssetSource.Jsii$Proxy	An implementation for DockerImageAssetSource
DockerRunOptions	Docker run options.
DockerRunOptions.Builder	A builder for DockerRunOptions
DockerRunOptions.Jsii$Proxy	An implementation for DockerRunOptions
DockerVolume	A Docker volume.
DockerVolume.Builder	A builder for DockerVolume
DockerVolume.Jsii$Proxy	An implementation for DockerVolume
DockerVolumeConsistency	Supported Docker volume consistency types.
Duration	Represents a length of time.
EncodingOptions	Properties to string encodings.
EncodingOptions.Builder	A builder for EncodingOptions
EncodingOptions.Jsii$Proxy	An implementation for EncodingOptions
Environment	The deployment environment for a stack.
Environment.Builder	A builder for Environment
Environment.Jsii$Proxy	An implementation for Environment
Errors	Helper to check if an error is of a certain type.
Expiration	Represents a date of expiration.
ExportValueOptions	Options for the stack.exportValue() method.
ExportValueOptions.Builder	A builder for ExportValueOptions
ExportValueOptions.Jsii$Proxy	An implementation for ExportValueOptions
FeatureFlags	Features that are implemented behind a flag in order to preserve backwards compatibility for existing apps.
FileAssetLocation	The location of the published file asset.
FileAssetLocation.Builder	A builder for FileAssetLocation
FileAssetLocation.Jsii$Proxy	An implementation for FileAssetLocation
FileAssetPackaging	Packaging modes for file assets.
FileAssetSource	Represents the source for a file asset.
FileAssetSource.Builder	A builder for FileAssetSource
FileAssetSource.Jsii$Proxy	An implementation for FileAssetSource
FileCopyOptions	Options applied when copying directories into the staging location.
FileCopyOptions.Builder	A builder for FileCopyOptions
FileCopyOptions.Jsii$Proxy	An implementation for FileCopyOptions
FileFingerprintOptions	Options related to calculating source hash.
FileFingerprintOptions.Builder	A builder for FileFingerprintOptions
FileFingerprintOptions.Jsii$Proxy	An implementation for FileFingerprintOptions
FileSystem	File system utilities.
FingerprintOptions	Options related to calculating source hash.
FingerprintOptions.Builder	A builder for FingerprintOptions
FingerprintOptions.Jsii$Proxy	An implementation for FingerprintOptions
Fn	CloudFormation intrinsic functions.
GetContextKeyOptions	Example:
GetContextKeyOptions.Builder	A builder for GetContextKeyOptions
GetContextKeyOptions.Jsii$Proxy	An implementation for GetContextKeyOptions
GetContextKeyResult	Example:
GetContextKeyResult.Builder	A builder for GetContextKeyResult
GetContextKeyResult.Jsii$Proxy	An implementation for GetContextKeyResult
GetContextValueOptions	Example:
GetContextValueOptions.Builder	A builder for GetContextValueOptions
GetContextValueOptions.Jsii$Proxy	An implementation for GetContextValueOptions
GetContextValueResult	Example:
GetContextValueResult.Builder	A builder for GetContextValueResult
GetContextValueResult.Jsii$Proxy	An implementation for GetContextValueResult
GitIgnoreStrategy	Ignores file paths based on the .gitignore specification.
GlobIgnoreStrategy	Ignores file paths based on simple glob patterns.
IAnyProducer	Interface for lazy untyped value producers.
IAnyProducer.Jsii$Default	Internal default implementation for IAnyProducer.
IAnyProducer.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IAspect	Represents an Aspect.
IAspect.Jsii$Default	Internal default implementation for IAspect.
IAspect.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IAsset	Common interface for all assets.
IAsset.Jsii$Default	Internal default implementation for IAsset.
IAsset.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IBoundStackSynthesizer	A Stack Synthesizer, obtained from IReusableStackSynthesizer..
IBoundStackSynthesizer.Jsii$Default	Internal default implementation for IBoundStackSynthesizer.
IBoundStackSynthesizer.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
ICfnConditionExpression	Represents a CloudFormation element that can be used within a Condition.
ICfnConditionExpression.Jsii$Default	Internal default implementation for ICfnConditionExpression.
ICfnConditionExpression.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
ICfnResourceOptions
ICfnResourceOptions.Jsii$Default	Internal default implementation for ICfnResourceOptions.
ICfnResourceOptions.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
ICfnRuleConditionExpression	Interface to specify certain functions as Service Catalog rule-specific.
ICfnRuleConditionExpression.Jsii$Default	Internal default implementation for ICfnRuleConditionExpression.
ICfnRuleConditionExpression.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IEnvironmentAware	Used to indicate that a particular construct has an resource environment.
IEnvironmentAware.Jsii$Default	Internal default implementation for IEnvironmentAware.
IEnvironmentAware.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IFragmentConcatenator	Function used to concatenate symbols in the target document language.
IFragmentConcatenator.Jsii$Default	Internal default implementation for IFragmentConcatenator.
IFragmentConcatenator.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IgnoreMode	Determines the ignore behavior to use.
IgnoreStrategy	Represents file path ignoring behavior.
IInspectable	Interface for examining a construct and exposing metadata.
IInspectable.Jsii$Default	Internal default implementation for IInspectable.
IInspectable.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IListProducer	Interface for lazy list producers.
IListProducer.Jsii$Default	Internal default implementation for IListProducer.
IListProducer.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
ILocalBundling	Local bundling.
ILocalBundling.Jsii$Default	Internal default implementation for ILocalBundling.
ILocalBundling.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
InjectionContext	This defines the values needed for Injection.
InjectionContext.Builder	A builder for InjectionContext
InjectionContext.Jsii$Proxy	An implementation for InjectionContext
Intrinsic	Token subclass that represents values intrinsic to the target document language.
Intrinsic.Builder	A fluent builder for Intrinsic.
IntrinsicProps	Customization properties for an Intrinsic token.
IntrinsicProps.Builder	A builder for IntrinsicProps
IntrinsicProps.Jsii$Proxy	An implementation for IntrinsicProps
INumberProducer	Interface for lazy number producers.
INumberProducer.Jsii$Default	Internal default implementation for INumberProducer.
INumberProducer.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IPolicyValidationContextBeta1	Context available to the validation plugin.
IPolicyValidationContextBeta1.Jsii$Default	Internal default implementation for IPolicyValidationContextBeta1.
IPolicyValidationContextBeta1.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IPolicyValidationPluginBeta1	Represents a validation plugin that will be executed during synthesis.
IPolicyValidationPluginBeta1.Jsii$Default	Internal default implementation for IPolicyValidationPluginBeta1.
IPolicyValidationPluginBeta1.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IPostProcessor	A Token that can post-process the complete resolved value, after resolve() has recursed over it.
IPostProcessor.Jsii$Default	Internal default implementation for IPostProcessor.
IPostProcessor.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IPropertyInjector	This interface define an inject function that operates on a Construct's Property.
IPropertyInjector.Jsii$Default	Internal default implementation for IPropertyInjector.
IPropertyInjector.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IResolvable	Interface for values that can be resolvable later.
IResolvable.Jsii$Default	Internal default implementation for IResolvable.
IResolvable.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IResolveContext	Current resolution context for tokens.
IResolveContext.Jsii$Default	Internal default implementation for IResolveContext.
IResolveContext.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IResource	Interface for L2 Resource constructs.
IResource.Jsii$Default	Internal default implementation for IResource.
IResource.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IReusableStackSynthesizer	Interface for Stack Synthesizers that can be used for more than one stack.
IReusableStackSynthesizer.Jsii$Default	Internal default implementation for IReusableStackSynthesizer.
IReusableStackSynthesizer.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IStableAnyProducer	Interface for (stable) lazy untyped value producers.
IStableAnyProducer.Jsii$Default	Internal default implementation for IStableAnyProducer.
IStableAnyProducer.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IStableListProducer	Interface for (stable) lazy list producers.
IStableListProducer.Jsii$Default	Internal default implementation for IStableListProducer.
IStableListProducer.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IStableNumberProducer	Interface for (stable) lazy number producers.
IStableNumberProducer.Jsii$Default	Internal default implementation for IStableNumberProducer.
IStableNumberProducer.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IStableStringProducer	Interface for (stable) lazy string producers.
IStableStringProducer.Jsii$Default	Internal default implementation for IStableStringProducer.
IStableStringProducer.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IStackSynthesizer	Encodes information how a certain Stack should be deployed.
IStackSynthesizer.Jsii$Default	Internal default implementation for IStackSynthesizer.
IStackSynthesizer.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
IStringProducer	Interface for lazy string producers.
IStringProducer.Jsii$Default	Internal default implementation for IStringProducer.
IStringProducer.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
ISynthesisSession	Represents a single session of synthesis.
ISynthesisSession.Jsii$Default	Internal default implementation for ISynthesisSession.
ISynthesisSession.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
ITaggable	Interface to implement tags.
ITaggable.Jsii$Default	Internal default implementation for ITaggable.
ITaggable.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
ITaggableV2	Modernized version of ITaggable.
ITaggableV2.Jsii$Default	Internal default implementation for ITaggableV2.
ITaggableV2.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
ITemplateOptions	CloudFormation template options for a stack.
ITemplateOptions.Jsii$Default	Internal default implementation for ITemplateOptions.
ITemplateOptions.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
ITokenMapper	Interface to apply operation to tokens in a string.
ITokenMapper.Jsii$Default	Internal default implementation for ITokenMapper.
ITokenMapper.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
ITokenResolver	How to resolve tokens.
ITokenResolver.Jsii$Default	Internal default implementation for ITokenResolver.
ITokenResolver.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
JsonNull	An object which serializes to the JSON null literal, and which can safely be passed across languages where undefined and null are not different.
Lazy	Lazily produce a value.
LazyAnyValueOptions	Options for creating lazy untyped tokens.
LazyAnyValueOptions.Builder	A builder for LazyAnyValueOptions
LazyAnyValueOptions.Jsii$Proxy	An implementation for LazyAnyValueOptions
LazyListValueOptions	Options for creating a lazy list token.
LazyListValueOptions.Builder	A builder for LazyListValueOptions
LazyListValueOptions.Jsii$Proxy	An implementation for LazyListValueOptions
LazyStringValueOptions	Options for creating a lazy string token.
LazyStringValueOptions.Builder	A builder for LazyStringValueOptions
LazyStringValueOptions.Jsii$Proxy	An implementation for LazyStringValueOptions
LegacyStackSynthesizer	Use the CDK classic way of referencing assets.
MissingRemovalPolicies	Manages removal policies for resources without existing policies within a construct scope.
Names	Functions for devising unique names for constructs.
NestedStack	A CloudFormation nested stack.
NestedStack.Builder	A fluent builder for NestedStack.
NestedStackProps	Initialization props for the NestedStack construct.
NestedStackProps.Builder	A builder for NestedStackProps
NestedStackProps.Jsii$Proxy	An implementation for NestedStackProps
NestedStackSynthesizer	Synthesizer for a nested stack.
PermissionsBoundary	Apply a permissions boundary to all IAM Roles and Users within a specific scope.
PermissionsBoundaryBindOptions	Options for binding a Permissions Boundary to a construct scope.
PermissionsBoundaryBindOptions.Builder	A builder for PermissionsBoundaryBindOptions
PermissionsBoundaryBindOptions.Jsii$Proxy	An implementation for PermissionsBoundaryBindOptions
PhysicalName	Includes special markers for automatic generation of physical names.
PolicyValidationPluginReportBeta1	The report emitted by the plugin after evaluation.
PolicyValidationPluginReportBeta1.Builder	A builder for PolicyValidationPluginReportBeta1
PolicyValidationPluginReportBeta1.Jsii$Proxy	An implementation for PolicyValidationPluginReportBeta1
PolicyValidationReportStatusBeta1	The final status of the validation report.
PolicyViolatingResourceBeta1	Resource violating a specific rule.
PolicyViolatingResourceBeta1.Builder	A builder for PolicyViolatingResourceBeta1
PolicyViolatingResourceBeta1.Jsii$Proxy	An implementation for PolicyViolatingResourceBeta1
PolicyViolationBeta1	Violation produced by the validation plugin.
PolicyViolationBeta1.Builder	A builder for PolicyViolationBeta1
PolicyViolationBeta1.Jsii$Proxy	An implementation for PolicyViolationBeta1
PropertyInjectors	This is a collection of ProjectInjectors assigned to this scope.
Reference	An intrinsic Token that represents a reference to a construct.
RemovalPolicies	Manages removal policies for all resources within a construct scope, overriding any existing policies by default.
RemovalPolicy	Possible values for a resource's Removal Policy.
RemovalPolicyOptions	Example:
RemovalPolicyOptions.Builder	A builder for RemovalPolicyOptions
RemovalPolicyOptions.Jsii$Proxy	An implementation for RemovalPolicyOptions
RemovalPolicyProps	Properties for applying a removal policy.
RemovalPolicyProps.Builder	A builder for RemovalPolicyProps
RemovalPolicyProps.Jsii$Proxy	An implementation for RemovalPolicyProps
RemoveTag	The RemoveTag Aspect will handle removing tags from this node and children.
RemoveTag.Builder	A fluent builder for RemoveTag.
ResolutionTypeHint	Type hints for resolved values.
ResolveChangeContextOptions	Options that can be changed while doing a recursive resolve.
ResolveChangeContextOptions.Builder	A builder for ResolveChangeContextOptions
ResolveChangeContextOptions.Jsii$Proxy	An implementation for ResolveChangeContextOptions
ResolveOptions	Options to the resolve() operation.
ResolveOptions.Builder	A builder for ResolveOptions
ResolveOptions.Jsii$Proxy	An implementation for ResolveOptions
Resource	An L2 construct which represents an AWS resource.
ResourceEnvironment	Represents the environment a given resource lives in.
ResourceEnvironment.Builder	A builder for ResourceEnvironment
ResourceEnvironment.Jsii$Proxy	An implementation for ResourceEnvironment
ResourceProps	Construction properties for Resource.
ResourceProps.Builder	A builder for ResourceProps
ResourceProps.Jsii$Proxy	An implementation for ResourceProps
ReverseOptions	Options for the 'reverse()' operation.
ReverseOptions.Builder	A builder for ReverseOptions
ReverseOptions.Jsii$Proxy	An implementation for ReverseOptions
RoleOptions	Options for specifying a role.
RoleOptions.Builder	A builder for RoleOptions
RoleOptions.Jsii$Proxy	An implementation for RoleOptions
ScopedAws	Accessor for scoped pseudo parameters.
SecretsManagerSecretOptions	Options for referencing a secret value from Secrets Manager.
SecretsManagerSecretOptions.Builder	A builder for SecretsManagerSecretOptions
SecretsManagerSecretOptions.Jsii$Proxy	An implementation for SecretsManagerSecretOptions
SecretValue	Work with secret values in the CDK.
SecretValue.Builder	A fluent builder for SecretValue.
Size	Represents the amount of digital storage.
SizeConversionOptions	Options for how to convert time to a different unit.
SizeConversionOptions.Builder	A builder for SizeConversionOptions
SizeConversionOptions.Jsii$Proxy	An implementation for SizeConversionOptions
SizeRoundingBehavior	Rounding behaviour when converting between units of Size.
Stack	A root construct which represents a single CloudFormation stack.
Stack.Builder	A fluent builder for Stack.
StackProps	Example:
StackProps.Builder	A builder for StackProps
StackProps.Jsii$Proxy	An implementation for StackProps
StackSynthesizer	Base class for implementing an IStackSynthesizer.
Stage	An abstract application modeling unit consisting of Stacks that should be deployed together.
Stage.Builder	A fluent builder for Stage.
StageProps	Initialization props for a stage.
StageProps.Builder	A builder for StageProps
StageProps.Jsii$Proxy	An implementation for StageProps
StageSynthesisOptions	Options for assembly synthesis.
StageSynthesisOptions.Builder	A builder for StageSynthesisOptions
StageSynthesisOptions.Jsii$Proxy	An implementation for StageSynthesisOptions
StringConcat	Converts all fragments to strings and concats those.
SymlinkFollowMode	Determines how symlinks are followed.
SynthesizeStackArtifactOptions	Stack artifact options.
SynthesizeStackArtifactOptions.Builder	A builder for SynthesizeStackArtifactOptions
SynthesizeStackArtifactOptions.Jsii$Proxy	An implementation for SynthesizeStackArtifactOptions
Tag	The Tag Aspect will handle adding a tag to this node and cascading tags to children.
Tag.Builder	A fluent builder for Tag.
TagManager	TagManager facilitates a common implementation of tagging for Constructs.
TagManager.Builder	A fluent builder for TagManager.
TagManagerOptions	Options to configure TagManager behavior.
TagManagerOptions.Builder	A builder for TagManagerOptions
TagManagerOptions.Jsii$Proxy	An implementation for TagManagerOptions
TagProps	Properties for a tag.
TagProps.Builder	A builder for TagProps
TagProps.Jsii$Proxy	An implementation for TagProps
Tags	Manages AWS tags for all resources within a construct scope.
TagType	Example:
TimeConversionOptions	Options for how to convert time to a different unit.
TimeConversionOptions.Builder	A builder for TimeConversionOptions
TimeConversionOptions.Jsii$Proxy	An implementation for TimeConversionOptions
TimeZone	Canonical names of the IANA time zones, derived from the IANA Time Zone Database.
Token	Represents a special or lazily-evaluated value.
TokenComparison	An enum-like class that represents the result of comparing two Tokens.
Tokenization	Less oft-needed functions to manipulate Tokens.
TokenizedStringFragments	Fragments of a concatenated string containing stringified Tokens.
TreeInspector	Inspector that maintains an attribute bag.
UniqueResourceNameOptions	Options for creating a unique resource name.
UniqueResourceNameOptions.Builder	A builder for UniqueResourceNameOptions
UniqueResourceNameOptions.Jsii$Proxy	An implementation for UniqueResourceNameOptions
ValidationResult	Representation of validation results.
ValidationResults	A collection of validation results.