Schema Docs


Type	`object`
Required	No
Additional properties	Not allowed

Property	Pattern	Type	Deprecated	Definition	Title/Description
- bucketName	No	string	No	-	S3 bucket name for project storage (scripts, artifacts, temp files). Auto-resolved from project when projectName is set. Use cases: Script storage; Processing artifacts; Centralized project storage AWS: S3 bucket Validation: Optional; auto-wired from project if projectName provided
- deploymentRoleArn	No	string	No	-	IAM role ARN for deployment operations and resource management. Auto-resolved from project when projectName is set. Use cases: Deployment permissions; Resource provisioning AWS: IAM role Validation: Optional; auto-wired from project if projectName provided
- functions	No	array	No	-	Lambda function definitions for serverless data processing within the project. Use cases: Event-driven processing; Serverless ETL; Data transformation AWS: Lambda functions with DataOps integration Validation: Optional; array of FunctionProps
- kmsArn	No	string	No	-	KMS key ARN for encrypting DataOps resources and data. Auto-resolved from project when projectName is set. Use cases: Data encryption; Security compliance AWS: KMS key Validation: Optional; auto-wired from project if projectName provided
- layers	No	array	No	-	Lambda layer definitions for shared code and dependencies across functions. Use cases: Shared libraries; Dependency management; Runtime consistency AWS: Lambda layers Validation: Optional; array of LayerProps
- nag_suppressions	No	object	No	In #/definitions/MdaaNagSuppressionConfigs	Q-ENHANCED-PROPERTY Optional CDK Nag suppression configurations for compliance rule management enabling controlled security rule exceptions and compliance documentation. Provides structured approach to managing security rule suppressions with proper justification and documentation for compliance auditing. Use cases: Compliance management; Security rule exceptions; Audit documentation; Controlled suppressions AWS: CDK Nag suppressions for compliance rule management and security exception documentation Validation: Must be valid MdaaNagSuppressionConfigs if provided; enables structured compliance rule management
- notificationTopicArn	No	string	No	-	SNS topic ARN for job notifications and workflow alerts. Auto-resolved from project when projectName is set. Use cases: Job failure alerts; Workflow status notifications AWS: SNS topic Validation: Optional; auto-wired from project if projectName provided
- projectName	No	string	No	-	DataOps project name for Lambda function resource autowiring. Use cases: Project integration; Shared permissions and infrastructure AWS: DataOps project reference Validation: Optional; must match an existing deployed project
- sagemakerBlueprint	No	object	No	In #/definitions/MdaaSageMakerCustomBluePrintConfig	Q-ENHANCED-PROPERTY Optional SageMaker blueprint configuration for governed self-service deployment enabling controlled infrastructure provisioning and governance. When specified, deploys the module as a SageMaker blueprint instead of direct deployment for governed access and compliance. Use cases: Governed deployment; Self-service provisioning; SageMaker integration; Controlled access AWS: SageMaker blueprint configuration for governed infrastructure deployment and self-service provisioning Validation: Must be valid MdaaServiceCatalogProductConfig if provided; enables SageMaker deployment mode
- securityConfigurationName	No	string	No	-	Glue security configuration name for job encryption (at rest, in transit, CloudWatch logs). Auto-resolved from project when projectName is set. Use cases: Job encryption; Security compliance AWS: Glue security configuration Validation: Optional; auto-wired from project if projectName provided
- service_catalog_product_config	No	object	No	In #/definitions/MdaaServiceCatalogProductConfig	Q-ENHANCED-PROPERTY Optional Service Catalog product configuration for governed self-service deployment enabling controlled infrastructure provisioning and governance. When specified, deploys the module as a Service Catalog product instead of direct deployment for governed access and compliance. Use cases: Governed deployment; Self-service provisioning; Service Catalog integration; Controlled access AWS: Service Catalog product configuration for governed infrastructure deployment and self-service provisioning Validation: Must be valid MdaaServiceCatalogProductConfig if provided; enables Service Catalog deployment mode

1. Property `root > bucketName`


Type	`string`
Required	No

Description: S3 bucket name for project storage (scripts, artifacts, temp files). Auto-resolved from project when projectName is set.

Use cases: Script storage; Processing artifacts; Centralized project storage

AWS: S3 bucket

Validation: Optional; auto-wired from project if projectName provided

2. Property `root > deploymentRoleArn`


Type	`string`
Required	No

Description: IAM role ARN for deployment operations and resource management. Auto-resolved from project when projectName is set.

Use cases: Deployment permissions; Resource provisioning

AWS: IAM role

Validation: Optional; auto-wired from project if projectName provided

3. Property `root > functions`


Type	`array`
Required	No

Description: Lambda function definitions for serverless data processing within the project.

Use cases: Event-driven processing; Serverless ETL; Data transformation

AWS: Lambda functions with DataOps integration

Validation: Optional; array of FunctionProps

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
FunctionProps	Lambda function configuration for data processing with S3 event and EventBridge integration. ...

3.1. root > functions > FunctionProps


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/FunctionProps

Description: Lambda function configuration for data processing with S3 event and EventBridge integration.

Defines Lambda function properties for data processing workflows triggered by S3 object events and EventBridge rules in data lake operations.

Use cases: S3 event-driven data processing; Data transformation; EventBridge-triggered operations

AWS: Lambda function configuration with S3 EventBridge notifications and custom event rules

Validation: srcDir must exist; runtime must be valid Lambda runtime; handler must match code structure

Property	Pattern	Type	Deprecated	Definition	Title/Description
- additionalResourcePermissions	No	object	No	-	Additional resource permissions mapped by SID.
- alarms	No	array	No	-	CloudWatch alarms for monitoring and alerting. Custom metrics validated against metricFilters.
- description	No	string	No	-	Optional function description.
- dockerBuild	No	boolean	No	-	When true, srcDir must contain a Dockerfile for container image deployment.
- environment	No	object	No	-	Environment variables for function configuration.
- ephemeralStorageSizeMB	No	number	No	-	The size of the function's /tmp directory in MB.
- eventBridge	No	object	No	In #/definitions/EventBridgeProps	EventBridge configuration for event-driven execution.
+ functionName	No	string	No	-	Lambda function name.
- generatedLayerNames	No	array of string	No	-	Generated layer names to attach to the function.
- grantInvoke	No	string	No	-	Principal ARN granted Lambda invoke permissions.
- handler	No	string	No	-	Lambda function handler (e.g., 'index.handler').
- layerArns	No	object	No	-	Existing layer version ARNs mapped by name.
- logInsightsQueries	No	array	No	-	CloudWatch Logs Insights saved queries for log analysis.
- maxEventAgeSeconds	No	number	No	-	Maximum event age in seconds (60-21600).
- memorySizeMB	No	number	No	-	Memory allocation in MB (128-10240).
- metricFilters	No	array	No	-	CloudWatch metric filters for custom metric extraction.
- reservedConcurrentExecutions	No	number	No	-	Reserved concurrent executions for capacity management.
- retryAttempts	No	number	No	-	Maximum retry attempts for failed executions (0-2).
+ roleArn	No	string	No	-	IAM role ARN for Lambda function execution.
- runtime	No	string	No	-	Lambda runtime (e.g., python3.9, nodejs18.x).
+ srcDir	No	string	No	-	Source code directory path containing Lambda function code.
- timeoutSeconds	No	number	No	-	Function timeout in seconds.
- vpcConfig	No	object	No	In #/definitions/VpcConfigProps	VPC configuration for network deployment.

3.1.1. Property `root > functions > functions items > additionalResourcePermissions`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Description: Additional resource permissions mapped by SID.

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	In #/definitions/AdditionalResourcePermission	Lambda resource permission for fine-grained access control. Defines specific permissions for AWS principals to access Lambda functions with optional source restrictions for enhanced security. Use cases: S3 service permissions; EventBridge rule access; Cross-account data processing AWS: Lambda resource policy permissions for controlled function access Validation: principal and action are required; sourceAccount and sourceArn provide additional security

3.1.1.1. Property `root > functions > functions items > additionalResourcePermissions > AdditionalResourcePermission`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/AdditionalResourcePermission

Description: Lambda resource permission for fine-grained access control.

Defines specific permissions for AWS principals to access Lambda functions with optional source restrictions for enhanced security.

Use cases: S3 service permissions; EventBridge rule access; Cross-account data processing

AWS: Lambda resource policy permissions for controlled function access

Validation: principal and action are required; sourceAccount and sourceArn provide additional security

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ action	No	string	No	-	Lambda action (e.g., lambda:InvokeFunction).
+ principal	No	string	No	-	AWS principal ARN for Lambda function access.
- sourceAccount	No	string	No	-	Optional source account restriction for cross-account security.
- sourceArn	No	string	No	-	Optional source resource ARN restriction for fine-grained access control.

3.1.1.1.1. Property `root > functions > functions items > additionalResourcePermissions > additionalProperties > action`


Type	`string`
Required	Yes

Description: Lambda action (e.g., lambda:InvokeFunction).

3.1.1.1.2. Property `root > functions > functions items > additionalResourcePermissions > additionalProperties > principal`


Type	`string`
Required	Yes

Description: AWS principal ARN for Lambda function access.

3.1.1.1.3. Property `root > functions > functions items > additionalResourcePermissions > additionalProperties > sourceAccount`


Type	`string`
Required	No

Description: Optional source account restriction for cross-account security.

3.1.1.1.4. Property `root > functions > functions items > additionalResourcePermissions > additionalProperties > sourceArn`


Type	`string`
Required	No

Description: Optional source resource ARN restriction for fine-grained access control.

3.1.2. Property `root > functions > functions items > alarms`


Type	`array`
Required	No

Description: CloudWatch alarms for monitoring and alerting. Custom metrics validated against metricFilters.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
AlarmProps	Configuration for CloudWatch alarms for Lambda function monitoring and alerting. ...

3.1.2.1. root > functions > functions items > alarms > AlarmProps


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/AlarmProps

Description: Configuration for CloudWatch alarms for Lambda function monitoring and alerting.

Defines alarm conditions, thresholds, and notification actions for both single metric and metric math alarms with support for custom and AWS metrics.

Use cases: Error rate alerting; Performance monitoring; Custom metric alarms; Multi-metric conditions

AWS: CloudWatch alarm for Lambda function monitoring with SNS integration

Validation: alarmName required; either metricName/namespace or metrics array required; threshold and evaluationPeriods required

Property	Pattern	Type	Deprecated	Definition	Title/Description
- actionsEnabled	No	boolean	No	-	Whether alarm actions are enabled during state changes.
- alarmActions	No	array of string	No	-	SNS topic ARNs for ALARM state notifications.
- alarmDescription	No	string	No	-	Human-readable alarm description.
+ alarmName	No	string	No	-	Unique name for the alarm.
+ comparisonOperator	No	string	No	-	Comparison operator (e.g., GreaterThanOrEqualToThreshold).
- datapointsToAlarm	No	number	No	-	Datapoints that must breach threshold (M out of N evaluation).
- dimensions	No	object	No	-	Metric dimensions. Supports {{functionName}} placeholder.
+ evaluationPeriods	No	number	No	-	Number of consecutive periods the metric must breach the threshold.
- insufficientDataActions	No	array of string	No	-	SNS topic ARNs for INSUFFICIENT_DATA state notifications.
- metricName	No	string	No	-	Metric name for single metric alarms. Validated against metric filters for custom metrics.
- metrics	No	array	No	-	Metric data queries for metric math alarms. Mutually exclusive with metricName.
- namespace	No	string	No	-	Metric namespace. AWS/* namespaces bypass validation.
- okActions	No	array of string	No	-	SNS topic ARNs for OK state notifications.
- period	No	number	No	-	Evaluation period in seconds.
- statistic	No	string	No	-	Statistic for metric aggregation (e.g., Sum, Average).
+ threshold	No	number	No	-	Threshold value for alarm comparison.
- treatMissingData	No	string	No	-	Missing data treatment (notBreaching, breaching, ignore, missing).
- unit	No	string	No	-	CloudWatch metric unit.

3.1.2.1.1. Property `root > functions > functions items > alarms > alarms items > actionsEnabled`


Type	`boolean`
Required	No

Description: Whether alarm actions are enabled during state changes.

3.1.2.1.2. Property `root > functions > functions items > alarms > alarms items > alarmActions`


Type	`array of string`
Required	No

Description: SNS topic ARNs for ALARM state notifications.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
alarmActions items	-

3.1.2.1.2.1. root > functions > functions items > alarms > alarms items > alarmActions > alarmActions items


Type	`string`
Required	No

3.1.2.1.3. Property `root > functions > functions items > alarms > alarms items > alarmDescription`


Type	`string`
Required	No

Description: Human-readable alarm description.

3.1.2.1.4. Property `root > functions > functions items > alarms > alarms items > alarmName`


Type	`string`
Required	Yes

Description: Unique name for the alarm.

3.1.2.1.5. Property `root > functions > functions items > alarms > alarms items > comparisonOperator`


Type	`string`
Required	Yes

Description: Comparison operator (e.g., GreaterThanOrEqualToThreshold).

3.1.2.1.6. Property `root > functions > functions items > alarms > alarms items > datapointsToAlarm`


Type	`number`
Required	No

Description: Datapoints that must breach threshold (M out of N evaluation).

3.1.2.1.7. Property `root > functions > functions items > alarms > alarms items > dimensions`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Description: Metric dimensions. Supports {{functionName}} placeholder.

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	string	No	-	-

3.1.2.1.7.1. Property `root > functions > functions items > alarms > alarms items > dimensions > additionalProperties`


Type	`string`
Required	No

3.1.2.1.8. Property `root > functions > functions items > alarms > alarms items > evaluationPeriods`


Type	`number`
Required	Yes

Description: Number of consecutive periods the metric must breach the threshold.

3.1.2.1.9. Property `root > functions > functions items > alarms > alarms items > insufficientDataActions`


Type	`array of string`
Required	No

Description: SNS topic ARNs for INSUFFICIENT_DATA state notifications.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
insufficientDataActions items	-

3.1.2.1.9.1. root > functions > functions items > alarms > alarms items > insufficientDataActions > insufficientDataActions items


Type	`string`
Required	No

3.1.2.1.10. Property `root > functions > functions items > alarms > alarms items > metricName`


Type	`string`
Required	No

Description: Metric name for single metric alarms. Validated against metric filters for custom metrics.

3.1.2.1.11. Property `root > functions > functions items > alarms > alarms items > metrics`


Type	`array`
Required	No

Description: Metric data queries for metric math alarms. Mutually exclusive with metricName.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
MetricDataQueryProps	Configuration for CloudWatch metric data queries used in metric math alarms. ...

3.1.2.1.11.1. root > functions > functions items > alarms > alarms items > metrics > MetricDataQueryProps


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MetricDataQueryProps

Description: Configuration for CloudWatch metric data queries used in metric math alarms.

Defines individual metrics or expressions for metric math alarms enabling complex alerting logic combining multiple metrics.

Use cases: Metric math expressions; Multi-metric alarms; Calculated metrics; Complex alerting

AWS: CloudWatch metric data query for metric math alarms and complex metric expressions

Validation: id required; either expression or metricName/namespace required

Property	Pattern	Type	Deprecated	Definition	Title/Description
- dimensions	No	object	No	-	Metric dimensions for filtering to specific instances.
- expression	No	string	No	-	Metric math expression (e.g., "m1+m2"). Mutually exclusive with metricName.
+ id	No	string	No	-	Unique identifier for the query, referenced in metric math expressions (e.g., "m1", "total").
- label	No	string	No	-	Human-readable label for dashboards and alarms.
- metricName	No	string	No	-	CloudWatch metric name. Mutually exclusive with expression.
- namespace	No	string	No	-	CloudWatch metric namespace. Required when using metricName.
- period	No	number	No	-	Evaluation period in seconds for metric aggregation.
- returnData	No	boolean	No	-	Whether this metric data should be returned in query results.
- statistic	No	string	No	-	Statistic for metric aggregation (e.g., Sum, Average, Maximum).
- unit	No	string	No	-	CloudWatch metric unit (e.g., Count, Milliseconds).

3.1.2.1.11.1.1. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > dimensions`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Description: Metric dimensions for filtering to specific instances.

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	string	No	-	-

3.1.2.1.11.1.1.1. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > dimensions > additionalProperties`


Type	`string`
Required	No

3.1.2.1.11.1.2. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > expression`


Type	`string`
Required	No

Description: Metric math expression (e.g., "m1+m2"). Mutually exclusive with metricName.

3.1.2.1.11.1.3. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > id`


Type	`string`
Required	Yes

Description: Unique identifier for the query, referenced in metric math expressions (e.g., "m1", "total").

3.1.2.1.11.1.4. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > label`


Type	`string`
Required	No

Description: Human-readable label for dashboards and alarms.

3.1.2.1.11.1.5. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > metricName`


Type	`string`
Required	No

Description: CloudWatch metric name. Mutually exclusive with expression.

3.1.2.1.11.1.6. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > namespace`


Type	`string`
Required	No

Description: CloudWatch metric namespace. Required when using metricName.

3.1.2.1.11.1.7. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > period`


Type	`number`
Required	No

Description: Evaluation period in seconds for metric aggregation.

3.1.2.1.11.1.8. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > returnData`


Type	`boolean`
Required	No

Description: Whether this metric data should be returned in query results.

3.1.2.1.11.1.9. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > statistic`


Type	`string`
Required	No

Description: Statistic for metric aggregation (e.g., Sum, Average, Maximum).

3.1.2.1.11.1.10. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > unit`


Type	`string`
Required	No

Description: CloudWatch metric unit (e.g., Count, Milliseconds).

3.1.2.1.12. Property `root > functions > functions items > alarms > alarms items > namespace`


Type	`string`
Required	No

Description: Metric namespace. AWS/* namespaces bypass validation.

3.1.2.1.13. Property `root > functions > functions items > alarms > alarms items > okActions`


Type	`array of string`
Required	No

Description: SNS topic ARNs for OK state notifications.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
okActions items	-

3.1.2.1.13.1. root > functions > functions items > alarms > alarms items > okActions > okActions items


Type	`string`
Required	No

3.1.2.1.14. Property `root > functions > functions items > alarms > alarms items > period`


Type	`number`
Required	No

Description: Evaluation period in seconds.

3.1.2.1.15. Property `root > functions > functions items > alarms > alarms items > statistic`


Type	`string`
Required	No

Description: Statistic for metric aggregation (e.g., Sum, Average).

3.1.2.1.16. Property `root > functions > functions items > alarms > alarms items > threshold`


Type	`number`
Required	Yes

Description: Threshold value for alarm comparison.

3.1.2.1.17. Property `root > functions > functions items > alarms > alarms items > treatMissingData`


Type	`string`
Required	No

Description: Missing data treatment (notBreaching, breaching, ignore, missing).

3.1.2.1.18. Property `root > functions > functions items > alarms > alarms items > unit`


Type	`string`
Required	No

Description: CloudWatch metric unit.

3.1.3. Property `root > functions > functions items > description`


Type	`string`
Required	No

Description: Optional function description.

3.1.4. Property `root > functions > functions items > dockerBuild`


Type	`boolean`
Required	No

Description: When true, srcDir must contain a Dockerfile for container image deployment.

3.1.5. Property `root > functions > functions items > environment`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Description: Environment variables for function configuration.

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	string	No	-	-

3.1.5.1. Property `root > functions > functions items > environment > additionalProperties`


Type	`string`
Required	No

3.1.6. Property `root > functions > functions items > ephemeralStorageSizeMB`


Type	`number`
Required	No
Default	`"512 MiB"`

Description: The size of the function's /tmp directory in MB.

3.1.7. Property `root > functions > functions items > eventBridge`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/EventBridgeProps

Description: EventBridge configuration for event-driven execution.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- eventBridgeRules	No	object	No	In #/definitions/NamedEventBridgeRuleProps	Collection of named general EventBridge rules that trigger processing workflows based on custom event patterns or schedules. Use cases: Custom event-driven processing; Scheduled triggers; Cross-service event routing AWS: EventBridge rules with custom event patterns or schedule expressions Validation: Optional; keys are unique rule names, values must be valid EventBridgeRuleProps
- maxEventAgeSeconds	No	number	No	-	Maximum age in seconds that EventBridge will attempt to deliver an event to the target before discarding it. Use cases: Event delivery timeout; Stale event management; Delivery window control AWS: EventBridge rule target maximum event age configuration Validation: Optional; must be between 60 and 86400 seconds if provided
- retryAttempts	No	number	No	-	Maximum number of retry attempts EventBridge will make when the target returns an error. Use cases: Retry configuration; Error resilience; Delivery reliability tuning AWS: EventBridge rule target retry attempts configuration Validation: Optional; must be between 0 and 185 if provided
- s3EventBridgeRules	No	object	No	In #/definitions/NamedS3EventBridgeRuleProps	Collection of named S3 EventBridge rules that trigger processing workflows based on S3 object events. Use cases: S3 event-driven ETL; Object creation triggers; Multi-bucket event routing AWS: EventBridge rules with S3 object event patterns for automated processing Validation: Optional; keys are unique rule names, values must be valid S3EventBridgeRuleProps

3.1.7.1. Property `root > functions > functions items > eventBridge > eventBridgeRules`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema
Defined in	#/definitions/NamedEventBridgeRuleProps

Description: Collection of named general EventBridge rules that trigger processing workflows based on custom event patterns or schedules.

Use cases: Custom event-driven processing; Scheduled triggers; Cross-service event routing

AWS: EventBridge rules with custom event patterns or schedule expressions

Validation: Optional; keys are unique rule names, values must be valid EventBridgeRuleProps

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	In #/definitions/EventBridgeRuleProps	-

3.1.7.1.1. Property `root > functions > functions items > eventBridge > eventBridgeRules > EventBridgeRuleProps`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/EventBridgeRuleProps

Property	Pattern	Type	Deprecated	Definition	Title/Description
- description	No	string	No	-	Human-readable description of the EventBridge rule explaining its purpose and trigger conditions. Use cases: Rule documentation; Operational clarity; Rule identification in console AWS: EventBridge rule description displayed in the AWS console Validation: Optional; free-form text
- eventBusArn	No	string	No	-	ARN of the custom EventBridge event bus where the rule should be created. Use cases: Custom event bus routing; Cross-account event delivery; Dedicated event bus targeting AWS: EventBridge custom event bus ARN for rule placement Validation: Optional; must be a valid EventBridge event bus ARN if provided; defaults to the default event bus
- eventPattern	No	object	No	In #/definitions/EventPattern	EventBridge event pattern that defines which events should trigger the rule. Use cases: Event filtering; Source-specific triggers; Detail-based matching; Custom event routing AWS: EventBridge event pattern for rule matching and filtering Validation: Optional; must be a valid EventBridge EventPattern if provided; mutually exclusive with scheduleExpression for some use cases
- input	No	object	No	-	Custom input payload that will be provided to the rule target instead of the original event content. Use cases: Custom target input; Event transformation; Static payload injection AWS: EventBridge rule target input transformation Validation: Optional; will be serialized as JSON input to the target
- scheduleExpression	No	string	No	-	Schedule expression for time-based rule triggering using EventBridge cron or rate expressions. Use cases: Scheduled processing; Periodic triggers; Cron-based automation; Rate-based execution AWS: EventBridge schedule expression (cron or rate syntax) Validation: Optional; must be a valid cron() or rate() expression if provided

3.1.7.1.1.1. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > description`


Type	`string`
Required	No

Description: Human-readable description of the EventBridge rule explaining its purpose and trigger conditions.

Use cases: Rule documentation; Operational clarity; Rule identification in console

AWS: EventBridge rule description displayed in the AWS console

Validation: Optional; free-form text

3.1.7.1.1.2. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventBusArn`


Type	`string`
Required	No

Description: ARN of the custom EventBridge event bus where the rule should be created.

Use cases: Custom event bus routing; Cross-account event delivery; Dedicated event bus targeting

AWS: EventBridge custom event bus ARN for rule placement

Validation: Optional; must be a valid EventBridge event bus ARN if provided; defaults to the default event bus

3.1.7.1.1.3. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/EventPattern

Description: EventBridge event pattern that defines which events should trigger the rule.

Use cases: Event filtering; Source-specific triggers; Detail-based matching; Custom event routing

AWS: EventBridge event pattern for rule matching and filtering

Validation: Optional; must be a valid EventBridge EventPattern if provided; mutually exclusive with scheduleExpression for some use cases

Property	Pattern	Type	Deprecated	Definition	Title/Description
- account	No	array of string	No	-	The 12-digit number identifying an AWS account.
- detail	No	object	No	-	A JSON object, whose content is at the discretion of the service originating the event.
- detailType	No	array of string	No	-	Identifies, in combination with the source field, the fields and values that appear in the detail field. Represents the "detail-type" event field.
- id	No	array of string	No	-	A unique value is generated for every event. This can be helpful in tracing events as they move through rules to targets, and are processed.
- region	No	array of string	No	-	Identifies the AWS region where the event originated.
- resources	No	array of string	No	-	This JSON array contains ARNs that identify resources that are involved in the event. Inclusion of these ARNs is at the discretion of the service. For example, Amazon EC2 instance state-changes include Amazon EC2 instance ARNs, Auto Scaling events include ARNs for both instances and Auto Scaling groups, but API calls with AWS CloudTrail do not include resource ARNs.
- source	No	array of string	No	-	Identifies the service that sourced the event. All events sourced from within AWS begin with "aws." Customer-generated events can have any value here, as long as it doesn't begin with "aws." We recommend the use of Java package-name style reverse domain-name strings. To find the correct value for source for an AWS service, see the table in AWS Service Namespaces. For example, the source value for Amazon CloudFront is aws.cloudfront.
- time	No	array of string	No	-	The event timestamp, which can be specified by the service originating the event. If the event spans a time interval, the service might choose to report the start time, so this value can be noticeably before the time the event is actually received.
- version	No	array of string	No	-	By default, this is set to 0 (zero) in all events.

3.1.7.1.1.3.1. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > account`


Type	`array of string`
Required	No
Default	`"- No filtering on account"`

Description: The 12-digit number identifying an AWS account.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
account items	-

3.1.7.1.1.3.1.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > account > account items


Type	`string`
Required	No

3.1.7.1.1.3.2. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > detail`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema
Default	`"- No filtering on detail"`

Description: A JSON object, whose content is at the discretion of the service originating the event.

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	-	-

3.1.7.1.1.3.2.1. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > detail > additionalProperties`


Type	`object`
Required	No
Additional properties	Any type allowed

3.1.7.1.1.3.3. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > detailType`


Type	`array of string`
Required	No
Default	`"- No filtering on detail type"`

Description: Identifies, in combination with the source field, the fields and values that appear in the detail field.

Represents the "detail-type" event field.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
detailType items	-

3.1.7.1.1.3.3.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > detailType > detailType items


Type	`string`
Required	No

3.1.7.1.1.3.4. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > id`


Type	`array of string`
Required	No
Default	`"- No filtering on id"`

Description: A unique value is generated for every event. This can be helpful in tracing events as they move through rules to targets, and are processed.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
id items	-

3.1.7.1.1.3.4.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > id > id items


Type	`string`
Required	No

3.1.7.1.1.3.5. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > region`


Type	`array of string`
Required	No
Default	`"- No filtering on region"`

Description: Identifies the AWS region where the event originated.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
region items	-

3.1.7.1.1.3.5.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > region > region items


Type	`string`
Required	No

3.1.7.1.1.3.6. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > resources`


Type	`array of string`
Required	No
Default	`"- No filtering on resource"`

Description: This JSON array contains ARNs that identify resources that are involved in the event. Inclusion of these ARNs is at the discretion of the service.

For example, Amazon EC2 instance state-changes include Amazon EC2 instance ARNs, Auto Scaling events include ARNs for both instances and Auto Scaling groups, but API calls with AWS CloudTrail do not include resource ARNs.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
resources items	-

3.1.7.1.1.3.6.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > resources > resources items


Type	`string`
Required	No

3.1.7.1.1.3.7. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > source`


Type	`array of string`
Required	No
Default	`"- No filtering on source"`

Description: Identifies the service that sourced the event. All events sourced from within AWS begin with "aws." Customer-generated events can have any value here, as long as it doesn't begin with "aws." We recommend the use of Java package-name style reverse domain-name strings.

To find the correct value for source for an AWS service, see the table in AWS Service Namespaces. For example, the source value for Amazon CloudFront is aws.cloudfront.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
source items	-

3.1.7.1.1.3.7.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > source > source items


Type	`string`
Required	No

3.1.7.1.1.3.8. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > time`


Type	`array of string`
Required	No
Default	`"- No filtering on time"`

Description: The event timestamp, which can be specified by the service originating the event. If the event spans a time interval, the service might choose to report the start time, so this value can be noticeably before the time the event is actually received.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
time items	-

3.1.7.1.1.3.8.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > time > time items


Type	`string`
Required	No

3.1.7.1.1.3.9. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > version`


Type	`array of string`
Required	No
Default	`"- No filtering on version"`

Description: By default, this is set to 0 (zero) in all events.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
version items	-

3.1.7.1.1.3.9.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > version > version items


Type	`string`
Required	No

3.1.7.1.1.4. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > input`


Type	`object`
Required	No
Additional properties	Any type allowed

Description: Custom input payload that will be provided to the rule target instead of the original event content.

Use cases: Custom target input; Event transformation; Static payload injection

AWS: EventBridge rule target input transformation

Validation: Optional; will be serialized as JSON input to the target

3.1.7.1.1.5. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > scheduleExpression`


Type	`string`
Required	No

Description: Schedule expression for time-based rule triggering using EventBridge cron or rate expressions.

Use cases: Scheduled processing; Periodic triggers; Cron-based automation; Rate-based execution

AWS: EventBridge schedule expression (cron or rate syntax)

Validation: Optional; must be a valid cron() or rate() expression if provided

3.1.7.2. Property `root > functions > functions items > eventBridge > maxEventAgeSeconds`


Type	`number`
Required	No

Description: Maximum age in seconds that EventBridge will attempt to deliver an event to the target before discarding it.

Use cases: Event delivery timeout; Stale event management; Delivery window control

AWS: EventBridge rule target maximum event age configuration

Validation: Optional; must be between 60 and 86400 seconds if provided

3.1.7.3. Property `root > functions > functions items > eventBridge > retryAttempts`


Type	`number`
Required	No

Description: Maximum number of retry attempts EventBridge will make when the target returns an error.

Use cases: Retry configuration; Error resilience; Delivery reliability tuning

AWS: EventBridge rule target retry attempts configuration

Validation: Optional; must be between 0 and 185 if provided

3.1.7.4. Property `root > functions > functions items > eventBridge > s3EventBridgeRules`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema
Defined in	#/definitions/NamedS3EventBridgeRuleProps

Description: Collection of named S3 EventBridge rules that trigger processing workflows based on S3 object events.

Use cases: S3 event-driven ETL; Object creation triggers; Multi-bucket event routing

AWS: EventBridge rules with S3 object event patterns for automated processing

Validation: Optional; keys are unique rule names, values must be valid S3EventBridgeRuleProps

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	In #/definitions/S3EventBridgeRuleProps	-

3.1.7.4.1. Property `root > functions > functions items > eventBridge > s3EventBridgeRules > S3EventBridgeRuleProps`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/S3EventBridgeRuleProps

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ buckets	No	array of string	No	-	Array of S3 bucket names that should trigger the EventBridge rule when object events occur. Use cases: S3 event-driven processing; Bucket-specific triggers; Multi-bucket event routing AWS: S3 bucket names for EventBridge S3 object event pattern matching Validation: Required; must be non-empty array of valid S3 bucket names
- eventBusArn	No	string	No	-	ARN of the custom EventBridge event bus where the rule should be created. Use cases: Custom event bus routing; Cross-account event delivery; Dedicated event bus targeting AWS: EventBridge custom event bus ARN for rule placement Validation: Optional; must be a valid EventBridge event bus ARN if provided; defaults to the default event bus
- prefixes	No	array of string	No	-	Array of S3 object key prefixes that filter which objects trigger the EventBridge rule. Use cases: Prefix-based event filtering; Selective object processing; Path-scoped triggers AWS: S3 object key prefix filters for EventBridge event pattern matching Validation: Optional; each prefix should be a valid S3 key prefix

3.1.7.4.1.1. Property `root > functions > functions items > eventBridge > s3EventBridgeRules > additionalProperties > buckets`


Type	`array of string`
Required	Yes

Description: Array of S3 bucket names that should trigger the EventBridge rule when object events occur.

Use cases: S3 event-driven processing; Bucket-specific triggers; Multi-bucket event routing

AWS: S3 bucket names for EventBridge S3 object event pattern matching

Validation: Required; must be non-empty array of valid S3 bucket names

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
buckets items	-

3.1.7.4.1.1.1. root > functions > functions items > eventBridge > s3EventBridgeRules > additionalProperties > buckets > buckets items


Type	`string`
Required	No

3.1.7.4.1.2. Property `root > functions > functions items > eventBridge > s3EventBridgeRules > additionalProperties > eventBusArn`


Type	`string`
Required	No

Description: ARN of the custom EventBridge event bus where the rule should be created.

Use cases: Custom event bus routing; Cross-account event delivery; Dedicated event bus targeting

AWS: EventBridge custom event bus ARN for rule placement

Validation: Optional; must be a valid EventBridge event bus ARN if provided; defaults to the default event bus

3.1.7.4.1.3. Property `root > functions > functions items > eventBridge > s3EventBridgeRules > additionalProperties > prefixes`


Type	`array of string`
Required	No

Description: Array of S3 object key prefixes that filter which objects trigger the EventBridge rule.

Use cases: Prefix-based event filtering; Selective object processing; Path-scoped triggers

AWS: S3 object key prefix filters for EventBridge event pattern matching

Validation: Optional; each prefix should be a valid S3 key prefix

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
prefixes items	-

3.1.7.4.1.3.1. root > functions > functions items > eventBridge > s3EventBridgeRules > additionalProperties > prefixes > prefixes items


Type	`string`
Required	No

3.1.8. Property `root > functions > functions items > functionName`


Type	`string`
Required	Yes

Description: Lambda function name.

3.1.9. Property `root > functions > functions items > generatedLayerNames`


Type	`array of string`
Required	No

Description: Generated layer names to attach to the function.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
generatedLayerNames items	-

3.1.9.1. root > functions > functions items > generatedLayerNames > generatedLayerNames items


Type	`string`
Required	No

3.1.10. Property `root > functions > functions items > grantInvoke`


Type	`string`
Required	No

Description: Principal ARN granted Lambda invoke permissions.

3.1.11. Property `root > functions > functions items > handler`


Type	`string`
Required	No

Description: Lambda function handler (e.g., 'index.handler').

3.1.12. Property `root > functions > functions items > layerArns`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Description: Existing layer version ARNs mapped by name.

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	string	No	-	-

3.1.12.1. Property `root > functions > functions items > layerArns > additionalProperties`


Type	`string`
Required	No

3.1.13. Property `root > functions > functions items > logInsightsQueries`


Type	`array`
Required	No

Description: CloudWatch Logs Insights saved queries for log analysis.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
LogInsightsQueryProps	Configuration for CloudWatch Logs Insights saved queries for Lambda log analysis. ...

3.1.13.1. root > functions > functions items > logInsightsQueries > LogInsightsQueryProps


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/LogInsightsQueryProps

Description: Configuration for CloudWatch Logs Insights saved queries for Lambda log analysis.

Defines saved query definitions that can be executed against Lambda function logs for rapid error analysis, performance investigation, and operational insights.

Use cases: Error log analysis; Performance troubleshooting; Request tracing; Operational monitoring

AWS: CloudWatch Logs Insights query definitions for Lambda function log analysis

Validation: queryName must be unique; queryString must be valid Logs Insights syntax; logGroupNames optional

Property	Pattern	Type	Deprecated	Definition	Title/Description
- logGroupNames	No	array of string	No	-	Optional log group names for cross-function queries. Defaults to the function's log group.
+ queryName	No	string	No	-	Unique name for the saved query.
+ queryString	No	string	No	-	CloudWatch Logs Insights query string. Leading whitespace is stripped; limit clause added if missing.

3.1.13.1.1. Property `root > functions > functions items > logInsightsQueries > logInsightsQueries items > logGroupNames`


Type	`array of string`
Required	No

Description: Optional log group names for cross-function queries. Defaults to the function's log group.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
logGroupNames items	-

3.1.13.1.1.1. root > functions > functions items > logInsightsQueries > logInsightsQueries items > logGroupNames > logGroupNames items


Type	`string`
Required	No

3.1.13.1.2. Property `root > functions > functions items > logInsightsQueries > logInsightsQueries items > queryName`


Type	`string`
Required	Yes

Description: Unique name for the saved query.

3.1.13.1.3. Property `root > functions > functions items > logInsightsQueries > logInsightsQueries items > queryString`


Type	`string`
Required	Yes

Description: CloudWatch Logs Insights query string. Leading whitespace is stripped; limit clause added if missing.

3.1.14. Property `root > functions > functions items > maxEventAgeSeconds`


Type	`number`
Required	No

Description: Maximum event age in seconds (60-21600).

3.1.15. Property `root > functions > functions items > memorySizeMB`


Type	`number`
Required	No

Description: Memory allocation in MB (128-10240).

3.1.16. Property `root > functions > functions items > metricFilters`


Type	`array`
Required	No

Description: CloudWatch metric filters for custom metric extraction.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
MetricFilterProps	Configuration for CloudWatch metric filters extracting custom metrics from Lambda logs. ...

3.1.16.1. root > functions > functions items > metricFilters > MetricFilterProps


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MetricFilterProps

Description: Configuration for CloudWatch metric filters extracting custom metrics from Lambda logs.

Defines filter patterns and transformations for converting log data into CloudWatch Metrics with support for JSON, space-delimited, and text patterns.

Use cases: Error rate monitoring; Performance tracking; Business metric extraction; Custom alerting

AWS: CloudWatch Logs metric filter for log-to-metric transformation

Validation: filterName must be unique; filterPattern must be valid syntax; metricTransformations required

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ filterName	No	string	No	-	Unique name for the metric filter.
+ filterPattern	No	string	No	-	CloudWatch Logs filter pattern for matching log events.
+ metricTransformations	No	array	No	-	Metric transformations defining how matched data is converted to metrics.

3.1.16.1.1. Property `root > functions > functions items > metricFilters > metricFilters items > filterName`


Type	`string`
Required	Yes

Description: Unique name for the metric filter.

3.1.16.1.2. Property `root > functions > functions items > metricFilters > metricFilters items > filterPattern`


Type	`string`
Required	Yes

Description: CloudWatch Logs filter pattern for matching log events.

3.1.16.1.3. Property `root > functions > functions items > metricFilters > metricFilters items > metricTransformations`


Type	`array`
Required	Yes

Description: Metric transformations defining how matched data is converted to metrics.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
MetricTransformationProps	Configuration for CloudWatch metric transformations defining log-to-metric conversion. ...

3.1.16.1.3.1. root > functions > functions items > metricFilters > metricFilters items > metricTransformations > MetricTransformationProps


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MetricTransformationProps

Description: Configuration for CloudWatch metric transformations defining log-to-metric conversion.

Specifies how to extract metric values from Lambda function logs and publish them to CloudWatch Metrics with dimensions and units.

Use cases: Error rate metrics; Performance metrics; Business metrics; Custom monitoring

AWS: CloudWatch metric transformation for log-to-metric conversion and custom metric publishing

Validation: metricName and metricNamespace required; metricValue must be valid extraction pattern

Property	Pattern	Type	Deprecated	Definition	Title/Description
- defaultValue	No	number	No	-	Default value when filter pattern does not match.
- dimensions	No	object	No	-	Metric dimensions for segmentation and filtering.
+ metricName	No	string	No	-	CloudWatch metric name for the transformed metric.
+ metricNamespace	No	string	No	-	CloudWatch metric namespace for metric organization.
+ metricValue	No	string	No	-	Metric value extraction pattern (constant like "1" or field reference like "$duration").
- unit	No	string	No	-	CloudWatch metric unit (e.g., Count, Milliseconds).

3.1.16.1.3.1.1. Property `root > functions > functions items > metricFilters > metricFilters items > metricTransformations > metricTransformations items > defaultValue`


Type	`number`
Required	No

Description: Default value when filter pattern does not match.

3.1.16.1.3.1.2. Property `root > functions > functions items > metricFilters > metricFilters items > metricTransformations > metricTransformations items > dimensions`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Description: Metric dimensions for segmentation and filtering.

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	string	No	-	-

3.1.16.1.3.1.2.1. Property `root > functions > functions items > metricFilters > metricFilters items > metricTransformations > metricTransformations items > dimensions > additionalProperties`


Type	`string`
Required	No

3.1.16.1.3.1.3. Property `root > functions > functions items > metricFilters > metricFilters items > metricTransformations > metricTransformations items > metricName`


Type	`string`
Required	Yes

Description: CloudWatch metric name for the transformed metric.

3.1.16.1.3.1.4. Property `root > functions > functions items > metricFilters > metricFilters items > metricTransformations > metricTransformations items > metricNamespace`


Type	`string`
Required	Yes

Description: CloudWatch metric namespace for metric organization.

3.1.16.1.3.1.5. Property `root > functions > functions items > metricFilters > metricFilters items > metricTransformations > metricTransformations items > metricValue`


Type	`string`
Required	Yes

Description: Metric value extraction pattern (constant like "1" or field reference like "$duration").

3.1.16.1.3.1.6. Property `root > functions > functions items > metricFilters > metricFilters items > metricTransformations > metricTransformations items > unit`


Type	`string`
Required	No

Description: CloudWatch metric unit (e.g., Count, Milliseconds).

3.1.17. Property `root > functions > functions items > reservedConcurrentExecutions`


Type	`number`
Required	No

Description: Reserved concurrent executions for capacity management.

3.1.18. Property `root > functions > functions items > retryAttempts`


Type	`number`
Required	No

Description: Maximum retry attempts for failed executions (0-2).

3.1.19. Property `root > functions > functions items > roleArn`


Type	`string`
Required	Yes

Description: IAM role ARN for Lambda function execution.

3.1.20. Property `root > functions > functions items > runtime`


Type	`string`
Required	No

Description: Lambda runtime (e.g., python3.9, nodejs18.x).

3.1.21. Property `root > functions > functions items > srcDir`


Type	`string`
Required	Yes

Description: Source code directory path containing Lambda function code.

3.1.22. Property `root > functions > functions items > timeoutSeconds`


Type	`number`
Required	No

Description: Function timeout in seconds.

3.1.23. Property `root > functions > functions items > vpcConfig`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/VpcConfigProps

Description: VPC configuration for network deployment.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- securityGroupEgressRules	No	object	No	In #/definitions/MdaaSecurityGroupRuleProps	Optional egress rules for the Lambda function security group.
- securityGroupId	No	string	No	-	Optional security group ID. If omitted, a new security group is created.
+ subnetIds	No	array of string	No	-	Subnet IDs for Lambda function ENI placement.
+ vpcId	No	string	No	-	VPC ID for Lambda function deployment.

3.1.23.1. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MdaaSecurityGroupRuleProps

Description: Optional egress rules for the Lambda function security group.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- ipv4	No	array	No	-	IPv4 CIDR block rules for security group traffic control defining IP address-based access restrictions
- prefixList	No	array	No	-	Prefix list rules for security group traffic control defining managed prefix list-based access restrictions
- sg	No	array	No	-	Security group rules for cross-security group traffic control defining security group-based access restrictions

3.1.23.1.1. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4`


Type	`array`
Required	No

Description: IPv4 CIDR block rules for security group traffic control defining IP address-based access restrictions

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
MdaaCidrPeer	-

3.1.23.1.1.1. root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > MdaaCidrPeer


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MdaaCidrPeer

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ cidr	No	string	No	-	CIDR block specification for network access control in security group rules enabling IP
- description	No	string	No	-	-
- port	No	number	No	-	-
+ protocol	No	string	No	-	-
- suppressions	No	array	No	-	-
- toPort	No	number	No	-	The ending port number for the security group rule defining the upper bound of the port range

3.1.23.1.1.1.1. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > cidr`


Type	`string`
Required	Yes

Description: CIDR block specification for network access control in security group rules enabling IP

3.1.23.1.1.1.2. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > description`


Type	`string`
Required	No

3.1.23.1.1.1.3. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > port`


Type	`number`
Required	No

3.1.23.1.1.1.4. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > protocol`


Type	`string`
Required	Yes

3.1.23.1.1.1.5. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > suppressions`


Type	`array`
Required	No

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
NagPackSuppression	Interface for creating a rule suppression

3.1.23.1.1.1.5.1. root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > suppressions > NagPackSuppression


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/NagPackSuppression

Description: Interface for creating a rule suppression

Property	Pattern	Type	Deprecated	Definition	Title/Description
- appliesTo	No	array	No	-	Rule specific granular suppressions
+ id	No	string	No	-	The id of the rule to ignore
+ reason	No	string	No	-	The reason to ignore the rule (minimum 10 characters)

3.1.23.1.1.1.5.1.1. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > suppressions > suppressions items > appliesTo`


Type	`array`
Required	No

Description: Rule specific granular suppressions

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
NagPackSuppressionAppliesTo	A granular suppression

3.1.23.1.1.1.5.1.1.1. root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > suppressions > suppressions items > appliesTo > NagPackSuppressionAppliesTo


Type	`combining`
Required	No
Additional properties	Any type allowed
Defined in	#/definitions/NagPackSuppressionAppliesTo

Description: A granular suppression

Any of(Option)
RegexAppliesTo
item 1

3.1.23.1.1.1.5.1.1.1.1. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > suppressions > suppressions items > appliesTo > appliesTo items > anyOf > RegexAppliesTo`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/RegexAppliesTo

Description: A regular expression to apply to matching findings

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ regex	No	string	No	-	An ECMA-262 regex string

3.1.23.1.1.1.5.1.1.1.1.1. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > suppressions > suppressions items > appliesTo > appliesTo items > anyOf > item 0 > regex`


Type	`string`
Required	Yes

Description: An ECMA-262 regex string

3.1.23.1.1.1.5.1.1.1.2. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > suppressions > suppressions items > appliesTo > appliesTo items > anyOf > item 1`


Type	`string`
Required	No

3.1.23.1.1.1.5.1.2. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > suppressions > suppressions items > id`


Type	`string`
Required	Yes

Description: The id of the rule to ignore

3.1.23.1.1.1.5.1.3. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > suppressions > suppressions items > reason`


Type	`string`
Required	Yes

Description: The reason to ignore the rule (minimum 10 characters)

3.1.23.1.1.1.6. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > ipv4 > ipv4 items > toPort`


Type	`number`
Required	No

Description: The ending port number for the security group rule defining the upper bound of the port range

3.1.23.1.2. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > prefixList`


Type	`array`
Required	No

Description: Prefix list rules for security group traffic control defining managed prefix list-based access restrictions

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
MdaaPrefixListPeer	-

3.1.23.1.2.1. root > functions > functions items > vpcConfig > securityGroupEgressRules > prefixList > MdaaPrefixListPeer


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MdaaPrefixListPeer

Property	Pattern	Type	Deprecated	Definition	Title/Description
- description	No	string	No	-	-
- port	No	number	No	-	-
+ prefixList	No	string	No	-	Prefix list identifier for managed IP range access control in security group rules enabling
+ protocol	No	string	No	-	-
- suppressions	No	array	No	-	-
- toPort	No	number	No	-	The ending port number for the security group rule defining the upper bound of the port range

3.1.23.1.2.1.1. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > prefixList > prefixList items > description`


Type	`string`
Required	No

3.1.23.1.2.1.2. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > prefixList > prefixList items > port`


Type	`number`
Required	No

3.1.23.1.2.1.3. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > prefixList > prefixList items > prefixList`


Type	`string`
Required	Yes

Description: Prefix list identifier for managed IP range access control in security group rules enabling

3.1.23.1.2.1.4. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > prefixList > prefixList items > protocol`


Type	`string`
Required	Yes

3.1.23.1.2.1.5. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > prefixList > prefixList items > suppressions`


Type	`array`
Required	No

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
NagPackSuppression	Interface for creating a rule suppression

3.1.23.1.2.1.5.1. root > functions > functions items > vpcConfig > securityGroupEgressRules > prefixList > prefixList items > suppressions > NagPackSuppression


Type	`object`
Required	No
Additional properties	Not allowed
Same definition as	functions_items_vpcConfig_securityGroupEgressRules_ipv4_items_suppressions_items

Description: Interface for creating a rule suppression

3.1.23.1.2.1.6. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > prefixList > prefixList items > toPort`


Type	`number`
Required	No

Description: The ending port number for the security group rule defining the upper bound of the port range

3.1.23.1.3. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > sg`


Type	`array`
Required	No

Description: Security group rules for cross-security group traffic control defining security group-based access restrictions

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
MdaaSecurityGroupPeer	-

3.1.23.1.3.1. root > functions > functions items > vpcConfig > securityGroupEgressRules > sg > MdaaSecurityGroupPeer


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MdaaSecurityGroupPeer

Property	Pattern	Type	Deprecated	Definition	Title/Description
- description	No	string	No	-	-
- port	No	number	No	-	-
+ protocol	No	string	No	-	-
+ sgId	No	string	No	-	Security group identifier for security group-based access control in network rules enabling
- suppressions	No	array	No	-	-
- toPort	No	number	No	-	The ending port number for the security group rule defining the upper bound of the port range

3.1.23.1.3.1.1. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > sg > sg items > description`


Type	`string`
Required	No

3.1.23.1.3.1.2. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > sg > sg items > port`


Type	`number`
Required	No

3.1.23.1.3.1.3. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > sg > sg items > protocol`


Type	`string`
Required	Yes

3.1.23.1.3.1.4. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > sg > sg items > sgId`


Type	`string`
Required	Yes

Description: Security group identifier for security group-based access control in network rules enabling

3.1.23.1.3.1.5. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > sg > sg items > suppressions`


Type	`array`
Required	No

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
NagPackSuppression	Interface for creating a rule suppression

3.1.23.1.3.1.5.1. root > functions > functions items > vpcConfig > securityGroupEgressRules > sg > sg items > suppressions > NagPackSuppression


Type	`object`
Required	No
Additional properties	Not allowed
Same definition as	functions_items_vpcConfig_securityGroupEgressRules_ipv4_items_suppressions_items

Description: Interface for creating a rule suppression

3.1.23.1.3.1.6. Property `root > functions > functions items > vpcConfig > securityGroupEgressRules > sg > sg items > toPort`


Type	`number`
Required	No

Description: The ending port number for the security group rule defining the upper bound of the port range

3.1.23.2. Property `root > functions > functions items > vpcConfig > securityGroupId`


Type	`string`
Required	No

Description: Optional security group ID. If omitted, a new security group is created.

3.1.23.3. Property `root > functions > functions items > vpcConfig > subnetIds`


Type	`array of string`
Required	Yes

Description: Subnet IDs for Lambda function ENI placement.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
subnetIds items	-

3.1.23.3.1. root > functions > functions items > vpcConfig > subnetIds > subnetIds items


Type	`string`
Required	No

3.1.23.4. Property `root > functions > functions items > vpcConfig > vpcId`


Type	`string`
Required	Yes

Description: VPC ID for Lambda function deployment.

4. Property `root > kmsArn`


Type	`string`
Required	No

Description: KMS key ARN for encrypting DataOps resources and data. Auto-resolved from project when projectName is set.

Use cases: Data encryption; Security compliance

AWS: KMS key

Validation: Optional; auto-wired from project if projectName provided

5. Property `root > layers`


Type	`array`
Required	No

Description: Lambda layer definitions for shared code and dependencies across functions.

Use cases: Shared libraries; Dependency management; Runtime consistency

AWS: Lambda layers

Validation: Optional; array of LayerProps

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
LayerProps	Lambda layer configuration for shared code and dependency management. ...

5.1. root > layers > LayerProps


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/LayerProps

Description: Lambda layer configuration for shared code and dependency management.

Defines layer source, naming, and build options for reusable Lambda layers.

Use cases: Shared library deployment; Dependency management; Code reuse

AWS: Lambda layer configuration for shared library deployment

Validation: src and layerName required; dockerBuild optional

Property	Pattern	Type	Deprecated	Definition	Title/Description
- description	No	string	No	-	Description of the layer
- dockerBuild	No	boolean	No	-	If true, src is expected to contain a Dockerfile for building the layer
+ layerName	No	string	No	-	Layer name
+ src	No	string	No	-	Source directory or ZIP file path for layer code.

5.1.1. Property `root > layers > layers items > description`


Type	`string`
Required	No

Description: Description of the layer

5.1.2. Property `root > layers > layers items > dockerBuild`


Type	`boolean`
Required	No

Description: If true, src is expected to contain a Dockerfile for building the layer

5.1.3. Property `root > layers > layers items > layerName`


Type	`string`
Required	Yes

Description: Layer name

5.1.4. Property `root > layers > layers items > src`


Type	`string`
Required	Yes

Description: Source directory or ZIP file path for layer code.

6. Property `root > nag_suppressions`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MdaaNagSuppressionConfigs

Description: Q-ENHANCED-PROPERTY Optional CDK Nag suppression configurations for compliance rule management enabling controlled security rule exceptions and compliance documentation. Provides structured approach to managing security rule suppressions with proper justification and documentation for compliance auditing.

Use cases: Compliance management; Security rule exceptions; Audit documentation; Controlled suppressions

AWS: CDK Nag suppressions for compliance rule management and security exception documentation

Validation: Must be valid MdaaNagSuppressionConfigs if provided; enables structured compliance rule management

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ by_path	No	array	No	-	Array of CDK Nag suppressions organized by CloudFormation resource path, enabling targeted

6.1. Property `root > nag_suppressions > by_path`


Type	`array`
Required	Yes

Description: Array of CDK Nag suppressions organized by CloudFormation resource path, enabling targeted

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
MdaaNagSuppressionByPath	-

6.1.1. root > nag_suppressions > by_path > MdaaNagSuppressionByPath


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MdaaNagSuppressionByPath

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ path	No	string	No	-	CloudFormation resource path identifying the specific resource for which CDK Nag rules should be suppressed
+ suppressions	No	array of object	No	-	Array of specific CDK Nag rule suppressions with rule IDs and mandatory justifications for audit compliance

6.1.1.1. Property `root > nag_suppressions > by_path > by_path items > path`


Type	`string`
Required	Yes

Description: CloudFormation resource path identifying the specific resource for which CDK Nag rules should be suppressed

6.1.1.2. Property `root > nag_suppressions > by_path > by_path items > suppressions`


Type	`array of object`
Required	Yes

Description: Array of specific CDK Nag rule suppressions with rule IDs and mandatory justifications for audit compliance

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
suppressions items	-

6.1.1.2.1. root > nag_suppressions > by_path > by_path items > suppressions > suppressions items


Type	`object`
Required	No
Additional properties	Not allowed

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ id	No	string	No	-	-
+ reason	No	string	No	-	-

6.1.1.2.1.1. Property `root > nag_suppressions > by_path > by_path items > suppressions > suppressions items > id`


Type	`string`
Required	Yes

6.1.1.2.1.2. Property `root > nag_suppressions > by_path > by_path items > suppressions > suppressions items > reason`


Type	`string`
Required	Yes

7. Property `root > notificationTopicArn`


Type	`string`
Required	No

Description: SNS topic ARN for job notifications and workflow alerts. Auto-resolved from project when projectName is set.

Use cases: Job failure alerts; Workflow status notifications

AWS: SNS topic

Validation: Optional; auto-wired from project if projectName provided

8. Property `root > projectName`


Type	`string`
Required	No

Description: DataOps project name for Lambda function resource autowiring.

Use cases: Project integration; Shared permissions and infrastructure

AWS: DataOps project reference

Validation: Optional; must match an existing deployed project

9. Property `root > sagemakerBlueprint`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MdaaSageMakerCustomBluePrintConfig

Description: Q-ENHANCED-PROPERTY Optional SageMaker blueprint configuration for governed self-service deployment enabling controlled infrastructure provisioning and governance. When specified, deploys the module as a SageMaker blueprint instead of direct deployment for governed access and compliance.

Use cases: Governed deployment; Self-service provisioning; SageMaker integration; Controlled access

AWS: SageMaker blueprint configuration for governed infrastructure deployment and self-service provisioning

Validation: Must be valid MdaaServiceCatalogProductConfig if provided; enables SageMaker deployment mode

Property	Pattern	Type	Deprecated	Definition	Title/Description
- additionalAccounts	No	object	No	-	Q-ENHANCED-PROPERTY Optional map of additional AWS accounts where the SageMaker blueprint should be enabled. Each entry maps a friendly account name to account-specific configuration including provisioning role ARN and optional parameters and authorized domain units. Use cases: Multi-account deployment; Cross-account provisioning; Account-specific configuration AWS: AWS SageMaker blueprint multi-account provisioning configuration Validation: Must be object with string keys and valid account configuration values if provided
- authorizedDomainUnits	No	array of string	No	-	-
- blueprintName	No	string	No	-	-
- description	No	string	No	-	Q-ENHANCED-PROPERTY Description for the SageMaker blueprint that will be visible to end users in the SageMaker console. Should be descriptive and user-friendly to facilitate blueprint discovery and selection. Use cases: Product identification; User-friendly naming; SageMaker console display AWS: AWS SageMaker blueprint name for user interface display Validation: Must be non-empty string suitable for SageMaker blueprint naming
- domainBucketName	No	string	No	-	-
- domainConfig	No	object	No	In #/definitions/DomainConfig	-
- domainConfigSSMParam	No	string	No	-	Q-ENHANCED-PROPERTY Optional SSM parameter reference for domain configuration enabling dynamic domain configuration management. Specifies the SSM parameter containing domain configuration data for flexible domain setup and configuration management. Use cases: Dynamic configuration; SSM parameter reference; Configuration management; Flexible setup AWS: AWS Systems Manager parameter for DataZone domain configuration reference Validation: Must be valid SSM parameter name if provided; parameter must contain valid domain configuration
- enabledRegions	No	array of string	No	-	-
- parameters	No	object	No	-	Q-ENHANCED-PROPERTY Optional object containing named parameter configurations for the SageMaker blueprint. Enables parameterized blueprint deployment with validation rules and user input constraints. Use cases: Product parameterization; User input collection; Deployment customization AWS: AWS SageMaker blueprint parameters for user-configurable deployment options Validation: Must be object with string keys and valid MdaaServiceCatalogParameterConfig values if provided *
+ provisioningRole	No	object	No	Same as provisioningRole	-

9.1. Property `root > sagemakerBlueprint > additionalAccounts`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Description: Q-ENHANCED-PROPERTY Optional map of additional AWS accounts where the SageMaker blueprint should be enabled. Each entry maps a friendly account name to account-specific configuration including provisioning role ARN and optional parameters and authorized domain units.

Use cases: Multi-account deployment; Cross-account provisioning; Account-specific configuration

AWS: AWS SageMaker blueprint multi-account provisioning configuration

Validation: Must be object with string keys and valid account configuration values if provided

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	In #/definitions/AdditionalBlueprintAccount	-

9.1.1. Property `root > sagemakerBlueprint > additionalAccounts > AdditionalBlueprintAccount`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/AdditionalBlueprintAccount

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ account	No	string	No	-	-
- authorizedDomainUnits	No	array of string	No	-	-
- enabledRegions	No	array of string	No	-	-
- parameters	No	object	No	-	-
+ provisioningRole	No	object	No	In #/definitions/MdaaRoleRef	-

9.1.1.1. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > account`


Type	`string`
Required	Yes

9.1.1.2. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > authorizedDomainUnits`


Type	`array of string`
Required	No

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
authorizedDomainUnits items	-

9.1.1.2.1. root > sagemakerBlueprint > additionalAccounts > additionalProperties > authorizedDomainUnits > authorizedDomainUnits items


Type	`string`
Required	No

9.1.1.3. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > enabledRegions`


Type	`array of string`
Required	No

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
enabledRegions items	-

9.1.1.3.1. root > sagemakerBlueprint > additionalAccounts > additionalProperties > enabledRegions > enabledRegions items


Type	`string`
Required	No

9.1.1.4. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	In #/definitions/MdaaSageMakerBluePrintParameterConfig	-

9.1.1.4.1. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > MdaaSageMakerBluePrintParameterConfig`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MdaaSageMakerBluePrintParameterConfig

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ blueprintParamProps	No	object	No	In #/definitions/MdaaSageMakerBluePrintParameterProps	-
- cfnParamProps	No	object	No	In #/definitions/CfnParameterProps	-

9.1.1.4.1.1. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > blueprintParamProps`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/MdaaSageMakerBluePrintParameterProps

Property	Pattern	Type	Deprecated	Definition	Title/Description
- defaultValue	No	string	No	-	-
- description	No	string	No	-	-
+ fieldType	No	string	No	-	-
- isEditable	No	boolean	No	-	-
- isOptional	No	boolean	No	-	-
- isUpdateSupported	No	boolean	No	-	-

9.1.1.4.1.1.1. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > blueprintParamProps > defaultValue`


Type	`string`
Required	No

9.1.1.4.1.1.2. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > blueprintParamProps > description`


Type	`string`
Required	No

9.1.1.4.1.1.3. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > blueprintParamProps > fieldType`


Type	`string`
Required	Yes

9.1.1.4.1.1.4. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > blueprintParamProps > isEditable`


Type	`boolean`
Required	No

9.1.1.4.1.1.5. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > blueprintParamProps > isOptional`


Type	`boolean`
Required	No

9.1.1.4.1.1.6. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > blueprintParamProps > isUpdateSupported`


Type	`boolean`
Required	No

9.1.1.4.1.2. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > cfnParamProps`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/CfnParameterProps

Property	Pattern	Type	Deprecated	Definition	Title/Description
- allowedPattern	No	string	No	-	A regular expression that represents the patterns to allow for String types.
- allowedValues	No	array of string	No	-	An array containing the list of values allowed for the parameter.
- constraintDescription	No	string	No	-	A string that explains a constraint when the constraint is violated. For example, without a constraint description, a parameter that has an allowed pattern of [A-Za-z0-9]+ displays the following error message when the user specifies an invalid value:
- default	No	object	No	-	A value of the appropriate type for the template to use if no value is specified when a stack is created. If you define constraints for the parameter, you must specify a value that adheres to those constraints.
- description	No	string	No	-	A string of up to 4000 characters that describes the parameter.
- maxLength	No	number	No	-	An integer value that determines the largest number of characters you want to allow for String types.
- maxValue	No	number	No	-	A numeric value that determines the largest numeric value you want to allow for Number types.
- minLength	No	number	No	-	An integer value that determines the smallest number of characters you want to allow for String types.
- minValue	No	number	No	-	A numeric value that determines the smallest numeric value you want to allow for Number types.
- noEcho	No	boolean	No	-	Whether to mask the parameter value when anyone makes a call that describes the stack. If you set the value to ``true``, the parameter value is masked with asterisks (``*``).
- type	No	string	No	-	The data type for the parameter (DataType).

9.1.1.4.1.2.1. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > cfnParamProps > allowedPattern`


Type	`string`
Required	No
Default	`"- No constraints on patterns allowed for parameter."`

Description: A regular expression that represents the patterns to allow for String types.

9.1.1.4.1.2.2. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > cfnParamProps > allowedValues`


Type	`array of string`
Required	No
Default	`"- No constraints on values allowed for parameter."`

Description: An array containing the list of values allowed for the parameter.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
allowedValues items	-

9.1.1.4.1.2.2.1. root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > cfnParamProps > allowedValues > allowedValues items


Type	`string`
Required	No

9.1.1.4.1.2.3. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > cfnParamProps > constraintDescription`


Type	`string`
Required	No
Default	`"- No description with customized error message when user specifies invalid values."`

Description: A string that explains a constraint when the constraint is violated. For example, without a constraint description, a parameter that has an allowed pattern of [A-Za-z0-9]+ displays the following error message when the user specifies an invalid value:

9.1.1.4.1.2.4. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > cfnParamProps > default`


Type	`object`
Required	No
Additional properties	Any type allowed
Default	`"- No default value for parameter."`

Description: A value of the appropriate type for the template to use if no value is specified when a stack is created. If you define constraints for the parameter, you must specify a value that adheres to those constraints.

9.1.1.4.1.2.5. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > cfnParamProps > description`


Type	`string`
Required	No
Default	`"- No description for the parameter."`

Description: A string of up to 4000 characters that describes the parameter.

9.1.1.4.1.2.6. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > cfnParamProps > maxLength`


Type	`number`
Required	No
Default	`"- None."`

Description: An integer value that determines the largest number of characters you want to allow for String types.

9.1.1.4.1.2.7. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > cfnParamProps > maxValue`


Type	`number`
Required	No
Default	`"- None."`

Description: A numeric value that determines the largest numeric value you want to allow for Number types.

9.1.1.4.1.2.8. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > cfnParamProps > minLength`


Type	`number`
Required	No
Default	`"- None."`

Description: An integer value that determines the smallest number of characters you want to allow for String types.

9.1.1.4.1.2.9. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > cfnParamProps > minValue`


Type	`number`
Required	No
Default	`"- None."`

Description: A numeric value that determines the smallest numeric value you want to allow for Number types.

9.1.1.4.1.2.10. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > cfnParamProps > noEcho`


Type	`boolean`
Required	No
Default	`"- Parameter values are not masked."`

Description: Whether to mask the parameter value when anyone makes a call that describes the stack. If you set the value to true, the parameter value is masked with asterisks (*****).

9.1.1.4.1.2.11. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > parameters > additionalProperties > cfnParamProps > type`


Type	`string`
Required	No
Default	`"String"`

Description: The data type for the parameter (DataType).

9.1.1.5. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > provisioningRole`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/MdaaRoleRef

Property	Pattern	Type	Deprecated	Definition	Title/Description
- arn	No	string	No	-	Full IAM role ARN for cross-account role references and explicit role identification. Use cases: Cross-account role references; Explicit role binding; Multi-account deployments AWS: Full IAM role ARN (arn:aws:iam::ACCOUNT:role/ROLE-NAME) Validation: Optional; must be a valid IAM role ARN if provided
- id	No	string	No	-	IAM role unique identifier for role resolution using the role's AWS-generated ID. Use cases: Stable role references; Role resolution by unique ID; Immutable role binding AWS: IAM role unique ID (e.g., AROA...) Validation: Optional; must be a valid IAM role unique ID if provided
- immutable	No	boolean	No	-	Flag indicating whether the referenced role should be treated as immutable and not modified by MDAA operations. Use cases: Pre-existing role protection; Externally managed roles; Read-only role references AWS: Controls whether MDAA attaches policies or modifies the referenced IAM role Validation: Optional boolean; defaults to false
- name	No	string	No	-	IAM role name for role resolution within the same AWS account. Use cases: Same-account role references; Role name-based resolution; Local IAM role binding AWS: IAM role name resolved via GetRole within the deployment account Validation: Optional; must be a valid IAM role name; mutually preferred with arn/id for resolution
- refId	No	string	No	-	Unique identifier for the role reference within a configuration scope, enabling role lookup and deduplication. Use cases: Role reference identification; Configuration deduplication; Role lookup key AWS: Logical identifier for IAM role references within MDAA configuration Validation: Optional; must be unique within the configuration scope if provided
- sso	No	boolean	No	-	Flag indicating the role should be resolved as an AWS SSO auto-generated role. Use cases: AWS IAM Identity Center integration; SSO permission set role binding; Federated access AWS: Resolves role via AWS SSO/Identity Center auto-generated role naming convention Validation: Optional boolean; defaults to false

9.1.1.5.1. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > provisioningRole > arn`


Type	`string`
Required	No

Description: Full IAM role ARN for cross-account role references and explicit role identification.

Use cases: Cross-account role references; Explicit role binding; Multi-account deployments

AWS: Full IAM role ARN (arn:aws:iam::ACCOUNT:role/ROLE-NAME)

Validation: Optional; must be a valid IAM role ARN if provided

9.1.1.5.2. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > provisioningRole > id`


Type	`string`
Required	No

Description: IAM role unique identifier for role resolution using the role's AWS-generated ID.

Use cases: Stable role references; Role resolution by unique ID; Immutable role binding

AWS: IAM role unique ID (e.g., AROA...)

Validation: Optional; must be a valid IAM role unique ID if provided

9.1.1.5.3. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > provisioningRole > immutable`


Type	`boolean`
Required	No

Description: Flag indicating whether the referenced role should be treated as immutable and not modified by MDAA operations.

Use cases: Pre-existing role protection; Externally managed roles; Read-only role references

AWS: Controls whether MDAA attaches policies or modifies the referenced IAM role

Validation: Optional boolean; defaults to false

9.1.1.5.4. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > provisioningRole > name`


Type	`string`
Required	No

Description: IAM role name for role resolution within the same AWS account.

Use cases: Same-account role references; Role name-based resolution; Local IAM role binding

AWS: IAM role name resolved via GetRole within the deployment account

Validation: Optional; must be a valid IAM role name; mutually preferred with arn/id for resolution

9.1.1.5.5. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > provisioningRole > refId`


Type	`string`
Required	No

Description: Unique identifier for the role reference within a configuration scope, enabling role lookup and deduplication.

Use cases: Role reference identification; Configuration deduplication; Role lookup key

AWS: Logical identifier for IAM role references within MDAA configuration

Validation: Optional; must be unique within the configuration scope if provided

9.1.1.5.6. Property `root > sagemakerBlueprint > additionalAccounts > additionalProperties > provisioningRole > sso`


Type	`boolean`
Required	No

Description: Flag indicating the role should be resolved as an AWS SSO auto-generated role.

Use cases: AWS IAM Identity Center integration; SSO permission set role binding; Federated access

AWS: Resolves role via AWS SSO/Identity Center auto-generated role naming convention

Validation: Optional boolean; defaults to false

9.2. Property `root > sagemakerBlueprint > authorizedDomainUnits`


Type	`array of string`
Required	No

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
authorizedDomainUnits items	-

9.2.1. root > sagemakerBlueprint > authorizedDomainUnits > authorizedDomainUnits items


Type	`string`
Required	No

9.3. Property `root > sagemakerBlueprint > blueprintName`


Type	`string`
Required	No

9.4. Property `root > sagemakerBlueprint > description`


Type	`string`
Required	No

Description: Q-ENHANCED-PROPERTY Description for the SageMaker blueprint that will be visible to end users in the SageMaker console. Should be descriptive and user-friendly to facilitate blueprint discovery and selection.

Use cases: Product identification; User-friendly naming; SageMaker console display

AWS: AWS SageMaker blueprint name for user interface display

Validation: Must be non-empty string suitable for SageMaker blueprint naming

9.5. Property `root > sagemakerBlueprint > domainBucketName`


Type	`string`
Required	No

9.6. Property `root > sagemakerBlueprint > domainConfig`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/DomainConfig

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ blueprintIds	No	object	No	-	-
+ configParamArns	No	array of string	No	-	-
+ customResourceRoleName	No	string	No	-	-
+ domainArn	No	string	No	-	-
+ domainBucketArn	No	string	No	-	-
+ domainBucketUsagePolicyName	No	string	No	-	-
+ domainConfigCr	No	object	No	In #/definitions/MdaaCustomResource	-
+ domainId	No	string	No	-	-
+ domainKmsKeyArn	No	string	No	-	-
+ domainKmsUsagePolicyName	No	string	No	-	-
+ domainName	No	string	No	-	-
+ domainUnitIds	No	object	No	-	-
+ domainVersion	No	string	No	-	-
+ glueCatalogArns	No	array of string	No	-	-
+ glueCatalogKmsKeyArns	No	array of string	No	-	-
+ node	No	object	No	Same as node	The tree node.
+ projectIds	No	object	No	-	-
+ props	No	object	No	In #/definitions/DomainConfigProps	-
+ ssmParamBase	No	string	No	-	-

9.6.1. Property `root > sagemakerBlueprint > domainConfig > blueprintIds`


Type	`object`
Required	Yes
Additional properties	Each additional property must conform to the schema

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	string	No	-	-

9.6.1.1. Property `root > sagemakerBlueprint > domainConfig > blueprintIds > additionalProperties`


Type	`string`
Required	No

9.6.2. Property `root > sagemakerBlueprint > domainConfig > configParamArns`


Type	`array of string`
Required	Yes
Default	`[]`

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
configParamArns items	-

9.6.2.1. root > sagemakerBlueprint > domainConfig > configParamArns > configParamArns items


Type	`string`
Required	No

9.6.3. Property `root > sagemakerBlueprint > domainConfig > customResourceRoleName`


Type	`string`
Required	Yes

9.6.4. Property `root > sagemakerBlueprint > domainConfig > domainArn`


Type	`string`
Required	Yes

9.6.5. Property `root > sagemakerBlueprint > domainConfig > domainBucketArn`


Type	`string`
Required	Yes

9.6.6. Property `root > sagemakerBlueprint > domainConfig > domainBucketUsagePolicyName`


Type	`string`
Required	Yes

9.6.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/MdaaCustomResource

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ _allowCrossEnvironment	No	object	No	-	-
+ _physicalName	No	object	No	-	-
+ env	No	object	No	In #/definitions/ResourceEnvironment	The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
+ handlerFunction	No	object	No	In #/definitions/MdaaLambdaFunction	Construct for creating a compliant Lambda Function
+ node	No	object	No	Same as node	The tree node.
+ physicalName	No	string	No	-	Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource. This value will resolve to one of the following: - a concrete value (e.g. `"my-awesome-bucket"`) - `undefined`, when a name should be generated by CloudFormation - a concrete name generated automatically during synthesis, in cross-environment scenarios.
+ ref	No	string	No	-	The physical name of this custom resource.
+ resource	No	object	No	-	-
+ stack	No	object	No	Same as stack	The stack in which this resource is defined.

9.6.7.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > _allowCrossEnvironment`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > _physicalName`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > env`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/ResourceEnvironment

Description: The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ account	No	string	No	-	The AWS account ID that this resource belongs to. Since this can be a Token (for example, when the account is CloudFormation's AWS::AccountId intrinsic), make sure to use Token.compareStrings() instead of just comparing the values for equality.
+ region	No	string	No	-	The AWS region that this resource belongs to. Since this can be a Token (for example, when the region is CloudFormation's AWS::Region intrinsic), make sure to use Token.compareStrings() instead of just comparing the values for equality.

9.6.7.3.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > env > account`


Type	`string`
Required	Yes

Description: The AWS account ID that this resource belongs to. Since this can be a Token (for example, when the account is CloudFormation's AWS::AccountId intrinsic), make sure to use Token.compareStrings() instead of just comparing the values for equality.

9.6.7.3.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > env > region`


Type	`string`
Required	Yes

Description: The AWS region that this resource belongs to. Since this can be a Token (for example, when the region is CloudFormation's AWS::Region intrinsic), make sure to use Token.compareStrings() instead of just comparing the values for equality.

9.6.7.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/MdaaLambdaFunction

Description: Construct for creating a compliant Lambda Function

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ _allowCrossEnvironment	No	object	No	-	-
- _architecture	No	object	No	-	-
- _connections	No	object	No	In #/definitions/Connections	Actual connections object for this Lambda May be unset, in which case this Lambda is not configured use in a VPC.
- _currentVersion	No	object	No	-	-
+ _functionUrlInvocationGrants	No	object	No	In #/definitions/Record%3Cstring%2CGrant%3E	Mapping of function URL invocation principals to grants. Used to de-dupe `grantInvokeUrl()` calls.
+ _hasAddedArrayTokenStatements	No	object	No	-	Track whether we've added statements with array token resources to the role's default policy
+ _hasAddedLiteralStatements	No	object	No	-	Track whether we've added statements with literal resources to the role's default policy
+ _invocationGrants	No	object	No	Same as _functionUrlInvocationGrants	Mapping of invocation principals to grants. Used to de-dupe `grantInvoke()` calls.
- _latestVersion	No	object	No	-	-
+ _layers	No	array	No	-	-
- _logGroup	No	object	No	-	-
- _logRetention	No	object	No	In #/definitions/LogRetention	Creates a custom resource to control the retention policy of a CloudWatch Logs log group. The log group is created if it doesn't already exist. The policy is removed when `retentionDays` is `undefined` or equal to `Infinity`. Log group can be created in the region that is different from stack region by specifying `logGroupRegion`
+ _physicalName	No	object	No	-	-
+ _policyCounter	No	object	No	-	The number of permissions added to this function
- _skipPermissions	No	boolean	No	-	Whether the user decides to skip adding permissions. The only use case is for cross-account, imported lambdas where the user commits to modifying the permisssions on the imported lambda outside CDK.
+ _warnIfCurrentVersionCalled	No	boolean	No	-	Flag to delay adding a warning message until current version is invoked.
+ architecture	No	object	No	In #/definitions/Architecture	The architecture of this Lambda Function (this is an optional attribute and defaults to X86_64).
+ buildDeadLetterConfig	No	object	No	-	-
+ buildDeadLetterQueue	No	object	No	-	-
+ buildTracingConfig	No	object	No	-	-
+ canCreatePermissions	No	const	No	-	Whether the addPermission() call adds any permissions True for new Lambdas, false for version $LATEST and imported Lambdas from different accounts.
+ configureAdotInstrumentation	No	object	No	-	Add an AWS Distro for OpenTelemetry Lambda layer.
+ configureLambdaInsights	No	object	No	-	Configured lambda insights on the function if specified. This is achieved by adding an imported layer which is added to the list of lambda layers on synthesis. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versions.html
+ configureParamsAndSecretsExtension	No	object	No	-	Add a Parameters and Secrets Extension Lambda layer.
+ configureSnapStart	No	object	No	-	-
+ configureVpc	No	object	No	-	If configured, set up the VPC-related properties Returns the VpcConfig that should be added to the Lambda creation properties.
+ connections	No	object	No	Same as _connections	Access the Connections object Will fail if not a VPC-enabled Lambda Function
+ currentVersion	No	object	No	In #/definitions/Version	Returns a `lambda.Version` which represents the current version of this Lambda function. A new version will be created every time the function's configuration changes. You can specify options for this version using the `currentVersionOptions` prop when initializing the `lambda.Function`.
- currentVersionOptions	No	object	No	-	-
- deadLetterQueue	No	object	No	In #/definitions/IQueue	The DLQ (as queue) associated with this Lambda Function (this is an optional attribute).
- deadLetterTopic	No	object	No	In #/definitions/ITopic	The DLQ (as topic) associated with this Lambda Function (this is an optional attribute).
+ env	No	object	No	Same as env	The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
+ environment	No	object	No	-	Environment variables for this function
+ functionArn	No	string	No	-	ARN of this function
+ functionName	No	string	No	-	Name of this function
+ functionRef	No	object	No	Same as functionRef	A reference to a Function resource.
+ getLoggingConfig	No	object	No	-	Get Logging Config property for the function. This method returns the function LoggingConfig Property if the property is set on the function and undefined if not.
+ grant	No	object	No	-	-
+ grantPrincipal	No	object	No	Same as grantPrincipal	The principal this Lambda Function is running as
+ hashMixins	No	object	No	-	-
+ isBoundToVpc	No	boolean	No	-	Whether or not this Lambda function was bound to a VPC If this is is `false`, trying to access the `connections` object will fail.
+ isPrincipalWithConditions	No	object	No	-	-
+ isQueue	No	object	No	-	-
+ latestVersion	No	object	No	Same as latestVersion	The `$LATEST` version of this function. Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations. To obtain a reference to an explicit version which references the current function configuration, use `lambdaFunction.currentVersion` instead.
+ logGroup	No	object	No	In #/definitions/ILogGroup	The LogGroup where the Lambda function's logs are made available. If either `logRetention` is set or this property is called, a CloudFormation custom resource is added to the stack that pre-creates the log group as part of the stack deployment, if it already doesn't exist, and sets the correct log retention period (never expire, by default). Further, if the log group already exists and the `logRetention` is not set, the custom resource will reset the log retention to never expire even if it was configured with a different value.
+ node	No	object	No	Same as node	The tree node.
+ parsePermissionPrincipal	No	object	No	-	Translate IPrincipal to something we can pass to AWS::Lambda::Permissions Do some nasty things because `Permission` supports a subset of what the full IAM principal language supports, and we may not be able to parse strings outright because they may be tokens. Try to recognize some specific Principal classes first, then try a generic fallback.
+ permissionsNode	No	object	No	Same as node	The construct node where permissions are attached.
+ physicalName	No	string	No	-	Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource. This value will resolve to one of the following: - a concrete value (e.g. `"my-awesome-bucket"`) - `undefined`, when a name should be generated by CloudFormation - a concrete name generated automatically during synthesis, in cross-environment scenarios.
+ renderEnvironment	No	object	No	-	-
+ renderLayers	No	object	No	-	-
+ resourceArnsForGrantInvoke	No	array of string	No	-	The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke()
- role	No	object	No	Same as role	Execution role associated with this function
+ runtime	No	object	No	Same as sagemakerBlueprint_domainConfig_domainConfigCr_handlerFunction__layers_items_compatibleRuntimes_items	The runtime configured for this lambda.
+ stack	No	object	No	Same as stack	The stack in which this resource is defined.
+ statementHasArrayTokens	No	object	No	-	Check if a policy statement contains array tokens that would cause CloudFormation resolution conflicts when mixed with literal arrays in the same policy document. Array tokens are created by CloudFormation intrinsic functions that return arrays, such as Fn::Split, Fn::GetAZs, etc. These cannot be safely merged with literal resource arrays due to CloudFormation's token resolution limitations. Individual string tokens within literal arrays (e.g., `["arn:${token}:..."]`) are safe and do not cause conflicts, so they are not detected by this method.
- timeout	No	object	No	In #/definitions/Duration	The timeout configured for this lambda.
+ validateConditionCombinations	No	object	No	-	-
+ validateConditions	No	object	No	-	-
+ validateProfiling	No	object	No	-	-

9.6.7.4.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _allowCrossEnvironment`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _architecture`


Type	`object`
Required	No
Additional properties	Any type allowed

9.6.7.4.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/Connections

Description: Actual connections object for this Lambda

May be unset, in which case this Lambda is not configured use in a VPC.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ _securityGroupRules	No	object	No	-	The rule that defines how to represent this peer in a security group
+ _securityGroups	No	object	No	-	Underlying securityGroup for this Connections object, if present May be empty if this Connections object is not managing a SecurityGroup, but simply representing a Connectable peer.
+ connections	No	object	No	Same as _connections	The network connections associated with this resource.
- defaultPort	No	object	No	In #/definitions/Port	The default port configured for this connection peer, if available
+ remoteRule	No	object	No	-	When doing bidirectional grants between Security Groups in different stacks, put the rule on the other SG
+ securityGroups	No	array	No	-	-
+ skip	No	object	No	-	When doing bidirectional grants between Connections, make sure we don't recursive infinitely

9.6.7.4.3.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > _securityGroupRules`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: The rule that defines how to represent this peer in a security group

9.6.7.4.3.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > _securityGroups`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Underlying securityGroup for this Connections object, if present

May be empty if this Connections object is not managing a SecurityGroup, but simply representing a Connectable peer.

9.6.7.4.3.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > connections`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	_connections

Description: The network connections associated with this resource.

9.6.7.4.3.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > defaultPort`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/Port

Description: The default port configured for this connection peer, if available

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ canInlineRule	No	boolean	No	-	Whether the rule containing this port range can be inlined into a securitygroup or not.
+ props	No	object	No	-	-

9.6.7.4.3.4.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > defaultPort > canInlineRule`


Type	`boolean`
Required	Yes

Description: Whether the rule containing this port range can be inlined into a securitygroup or not.

9.6.7.4.3.4.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > defaultPort > props`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > remoteRule`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: When doing bidirectional grants between Security Groups in different stacks, put the rule on the other SG

9.6.7.4.3.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups`


Type	`array`
Required	Yes

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
ISecurityGroup	Interface for security group-like objects

9.6.7.4.3.6.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > ISecurityGroup


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/ISecurityGroup

Description: Interface for security group-like objects

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ allowAllOutbound	No	boolean	No	-	Whether the SecurityGroup has been configured to allow all outbound traffic
+ canInlineRule	No	boolean	No	-	Whether the rule can be inlined into a SecurityGroup or not
+ connections	No	object	No	Same as _connections	The network connections associated with this resource.
+ env	No	object	No	Same as env	The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
+ node	No	object	No	In #/definitions/Node	The tree node.
+ securityGroupId	No	string	No	-	ID for the current security group
+ securityGroupRef	No	object	No	In #/definitions/SecurityGroupReference	A reference to a SecurityGroup resource.
+ stack	No	object	No	In #/definitions/Stack	The stack in which this resource is defined.
+ uniqueId	No	string	No	-	A unique identifier for this connection peer

9.6.7.4.3.6.1.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > allowAllOutbound`


Type	`boolean`
Required	Yes

Description: Whether the SecurityGroup has been configured to allow all outbound traffic

9.6.7.4.3.6.1.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > canInlineRule`


Type	`boolean`
Required	Yes

Description: Whether the rule can be inlined into a SecurityGroup or not

9.6.7.4.3.6.1.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > connections`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	_connections

Description: The network connections associated with this resource.

9.6.7.4.3.6.1.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > env`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	env

Description: The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

9.6.7.4.3.6.1.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/Node

Description: The tree node.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- _addr	No	object	No	-	-
+ _children	No	object	No	-	-
+ _context	No	object	No	-	-
+ _defaultChild	No	object	No	-	-
+ _dependencies	No	object	No	-	-
+ _locked	No	object	No	-	-
+ _metadata	No	object	No	-	-
+ _validations	No	object	No	-	-
+ addChild	No	object	No	-	Adds a child construct to this node.
+ addr	No	string	No	-	Returns an opaque tree-unique address for this construct. Addresses are 42 characters hexadecimal strings. They begin with "c8" followed by 40 lowercase hexadecimal characters (0-9a-f). Addresses are calculated using a SHA-1 of the components of the construct path. To enable refactorings of construct trees, constructs with the ID `Default` will be excluded from the calculation. In those cases constructs in the same tree may have the same addreess.
+ children	No	array	No	-	All direct children of this construct.
- defaultChild	No	object	No	Same as sagemakerBlueprint_domainConfig_domainConfigCr_handlerFunction__connections_securityGroups_items_node_children_items	Returns the child construct that has the id `Default` or `Resource"`. This is usually the construct that provides the bulk of the underlying functionality. Useful for modifications of the underlying construct that are not available at the higher levels. Override the defaultChild property. This should only be used in the cases where the correct default child is not named 'Resource' or 'Default' as it should be. If you set this to undefined, the default behavior of finding the child named 'Resource' or 'Default' will be used.
+ dependencies	No	array	No	-	Return all dependencies registered on this node (non-recursive).
+ host	No	object	No	-	-
+ id	No	string	No	-	The id of this construct within the current scope. This is a a scope-unique id. To obtain an app-unique id for this construct, use `addr`.
+ locked	No	boolean	No	-	Returns true if this construct or the scopes in which it is defined are locked.
+ metadata	No	array	No	-	An immutable array of metadata objects associated with this construct. This can be used, for example, to implement support for deprecation notices, source mapping, etc.
+ path	No	string	No	-	The full, absolute path of this construct in the tree. Components are separated by '/'.
+ root	No	object	No	Same as sagemakerBlueprint_domainConfig_domainConfigCr_handlerFunction__connections_securityGroups_items_node_children_items	Returns the root of the construct tree.
- scope	No	object	No	Same as sagemakerBlueprint_domainConfig_domainConfigCr_handlerFunction__connections_securityGroups_items_node_children_items	Returns the scope in which this construct is defined. The value is `undefined` at the root of the construct scope tree.
+ scopes	No	array	No	-	All parent scopes of this construct.

9.6.7.4.3.6.1.5.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > _addr`


Type	`object`
Required	No
Additional properties	Any type allowed

9.6.7.4.3.6.1.5.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > _children`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.5.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > _context`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.5.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > _defaultChild`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.5.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > _dependencies`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.5.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > _locked`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.5.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > _metadata`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.5.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > _validations`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.5.9. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > addChild`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Adds a child construct to this node.

9.6.7.4.3.6.1.5.10. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > addr`


Type	`string`
Required	Yes

Description: Returns an opaque tree-unique address for this construct.

Addresses are 42 characters hexadecimal strings. They begin with "c8" followed by 40 lowercase hexadecimal characters (0-9a-f).

Addresses are calculated using a SHA-1 of the components of the construct path.

To enable refactorings of construct trees, constructs with the ID Default will be excluded from the calculation. In those cases constructs in the same tree may have the same addreess.

9.6.7.4.3.6.1.5.11. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > children`


Type	`array`
Required	Yes

Description: All direct children of this construct.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
IConstruct	Represents a construct.

9.6.7.4.3.6.1.5.11.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > children > IConstruct


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/IConstruct

Description: Represents a construct.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ node	No	object	No	Same as node	The tree node.

9.6.7.4.3.6.1.5.11.1.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > children > children items > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.3.6.1.5.12. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > defaultChild`


Type	`object`
Required	No
Additional properties	Not allowed
Same definition as	sagemakerBlueprint_domainConfig_domainConfigCr_handlerFunction__connections_securityGroups_items_node_children_items

Description: Returns the child construct that has the id Default or Resource". This is usually the construct that provides the bulk of the underlying functionality. Useful for modifications of the underlying construct that are not available at the higher levels. Override the defaultChild property.

This should only be used in the cases where the correct default child is not named 'Resource' or 'Default' as it should be.

If you set this to undefined, the default behavior of finding the child named 'Resource' or 'Default' will be used.

9.6.7.4.3.6.1.5.13. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > dependencies`


Type	`array`
Required	Yes

Description: Return all dependencies registered on this node (non-recursive).

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
IConstruct	Represents a construct.

9.6.7.4.3.6.1.5.13.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > dependencies > IConstruct


Type	`object`
Required	No
Additional properties	Not allowed
Same definition as	sagemakerBlueprint_domainConfig_domainConfigCr_handlerFunction__connections_securityGroups_items_node_children_items

Description: Represents a construct.

9.6.7.4.3.6.1.5.14. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > host`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.5.15. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > id`


Type	`string`
Required	Yes

Description: The id of this construct within the current scope.

This is a a scope-unique id. To obtain an app-unique id for this construct, use addr.

9.6.7.4.3.6.1.5.16. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > locked`


Type	`boolean`
Required	Yes

Description: Returns true if this construct or the scopes in which it is defined are locked.

9.6.7.4.3.6.1.5.17. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > metadata`


Type	`array`
Required	Yes

Description: An immutable array of metadata objects associated with this construct. This can be used, for example, to implement support for deprecation notices, source mapping, etc.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
MetadataEntry	An entry in the construct metadata table.

9.6.7.4.3.6.1.5.17.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > metadata > MetadataEntry


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MetadataEntry

Description: An entry in the construct metadata table.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ data	No	object	No	-	The data.
- trace	No	array of string	No	-	Stack trace at the point of adding the metadata. Only available if `addMetadata()` is called with `stackTrace: true`.
+ type	No	string	No	-	The metadata entry type.

9.6.7.4.3.6.1.5.17.1.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > metadata > metadata items > data`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: The data.

9.6.7.4.3.6.1.5.17.1.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > metadata > metadata items > trace`


Type	`array of string`
Required	No
Default	`"- no trace information"`

Description: Stack trace at the point of adding the metadata.

Only available if addMetadata() is called with stackTrace: true.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
trace items	-

9.6.7.4.3.6.1.5.17.1.2.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > metadata > metadata items > trace > trace items


Type	`string`
Required	No

9.6.7.4.3.6.1.5.17.1.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > metadata > metadata items > type`


Type	`string`
Required	Yes

Description: The metadata entry type.

9.6.7.4.3.6.1.5.18. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > path`


Type	`string`
Required	Yes

Description: The full, absolute path of this construct in the tree.

Components are separated by '/'.

9.6.7.4.3.6.1.5.19. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > root`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	sagemakerBlueprint_domainConfig_domainConfigCr_handlerFunction__connections_securityGroups_items_node_children_items

Description: Returns the root of the construct tree.

9.6.7.4.3.6.1.5.20. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > scope`


Type	`object`
Required	No
Additional properties	Not allowed
Same definition as	sagemakerBlueprint_domainConfig_domainConfigCr_handlerFunction__connections_securityGroups_items_node_children_items

Description: Returns the scope in which this construct is defined.

The value is undefined at the root of the construct scope tree.

9.6.7.4.3.6.1.5.21. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > scopes`


Type	`array`
Required	Yes

Description: All parent scopes of this construct.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
IConstruct	Represents a construct.

9.6.7.4.3.6.1.5.21.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > node > scopes > IConstruct


Type	`object`
Required	No
Additional properties	Not allowed
Same definition as	sagemakerBlueprint_domainConfig_domainConfigCr_handlerFunction__connections_securityGroups_items_node_children_items

Description: Represents a construct.

9.6.7.4.3.6.1.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > securityGroupId`


Type	`string`
Required	Yes

Description: ID for the current security group

9.6.7.4.3.6.1.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > securityGroupRef`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/SecurityGroupReference

Description: A reference to a SecurityGroup resource.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ securityGroupId	No	string	No	-	The Id of the SecurityGroup resource.

9.6.7.4.3.6.1.7.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > securityGroupRef > securityGroupId`


Type	`string`
Required	Yes

Description: The Id of the SecurityGroup resource.

9.6.7.4.3.6.1.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/Stack

Description: The stack in which this resource is defined.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ _crossRegionReferences	No	boolean	No	-	Whether cross region references are enabled for this stack
+ _logicalIds	No	object	No	-	Logical ID generation strategy
+ _missingContext	No	object	No	-	Lists all missing contextual information. This is returned when the stack is synthesized under the 'missing' attribute and allows tooling to obtain the context and re-synthesize.
- _notificationArns	No	array of string	No	-	SNS Notification ARNs to receive stack events.
+ _stackDependencies	No	object	No	-	Other stacks this stack depends on
+ _stackName	No	object	No	-	-
+ _suppressTemplateIndentation	No	object	No	-	Enable this flag to suppress indentation in generated CloudFormation templates. If not specified, the value of the `@aws-cdk/core:suppressTemplateIndentation` context key will be used. If that is not specified, then the default value `false` will be used.
+ _terminationProtection	No	object	No	-	-
+ _versionReportingEnabled	No	boolean	No	-	Whether version reporting is enabled for this stack Controls whether the CDK Metadata resource is injected
+ account	No	string	No	-	The AWS account into which this stack will be deployed. This value is resolved according to the following rules: 1. The value provided to `env.account` when the stack is defined. This can either be a concrete account (e.g. `585695031111`) or the `Aws.ACCOUNT_ID` token. 3. `Aws.ACCOUNT_ID`, which represents the CloudFormation intrinsic reference `{ "Ref": "AWS::AccountId" }` encoded as a string token. Preferably, you should use the return value as an opaque string and not attempt to parse it to implement your logic. If you do, you must first check that it is a concrete value an not an unresolved token. If this value is an unresolved token (`Token.isUnresolved(stack.account)` returns `true`), this implies that the user wishes that this stack will synthesize into an account-agnostic template. In this case, your code should either fail (throw an error, emit a synth error using `Annotations.of(construct).addError()`) or implement some other account-agnostic behavior.
+ addPermissionsBoundaryAspect	No	object	No	-	Adds an aspect to the stack that will apply the permissions boundary. This will only add the aspect if the permissions boundary has been set
+ artifactId	No	string	No	-	The ID of the cloud assembly artifact for this stack.
+ availabilityZones	No	array of string	No	-	Returns the list of AZs that are available in the AWS environment (account/region) associated with this stack. If the stack is environment-agnostic (either account and/or region are tokens), this property will return an array with 2 tokens that will resolve at deploy-time to the first two availability zones returned from CloudFormation's `Fn::GetAZs` intrinsic function. If they are not available in the context, returns a set of dummy values and reports them as missing, and let the CLI resolve them by calling EC2 `DescribeAvailabilityZones` on the target environment. To specify a different strategy for selecting availability zones override this method.
+ bundlingRequired	No	boolean	No	-	Indicates whether the stack requires bundling or not
+ dependencies	No	array	No	-	Return the stacks this stack depends on
+ environment	No	string	No	-	The environment coordinates in which this stack is deployed. In the form `aws://account/region`. Use `stack.account` and `stack.region` to obtain the specific values, no need to parse. You can use this value to determine if two stacks are targeting the same environment. If either `stack.account` or `stack.region` are not concrete values (e.g. `Aws.ACCOUNT_ID` or `Aws.REGION`) the special strings `unknown-account` and/or `unknown-region` will be used respectively to indicate this stack is region/account-agnostic.
+ generateStackArtifactId	No	object	No	-	The artifact ID for this stack Stack artifact ID is unique within the App's Cloud Assembly.
+ generateStackId	No	object	No	-	Generate an ID with respect to the given container construct.
+ generateStackName	No	object	No	-	Calculate the stack name based on the construct path The stack name is the name under which we'll deploy the stack, and incorporates containing Stage names by default. Generally this looks a lot like how logical IDs are calculated. The stack name is calculated based on the construct root path, as follows: - Path is calculated with respect to containing App or Stage (if any) - If the path is one component long just use that component, otherwise combine them with a hash. Since the hash is quite ugly and we'd like to avoid it if possible -- but we can't anymore in the general case since it has been written into legacy stacks. The introduction of Stages makes it possible to make this nicer however. When a Stack is nested inside a Stage, we use the path components below the Stage, and prefix the path components of the Stage before it.
+ maxResources	No	object	No	-	Maximum number of resources in the stack Set to 0 to mean "unlimited".
+ nested	No	boolean	No	-	Indicates if this is a nested stack, in which case `parentStack` will include a reference to it's parent.
- nestedStackParent	No	object	No	Same as stack	If this is a nested stack, returns it's parent stack.
- nestedStackResource	No	object	No	In #/definitions/CfnResource	If this is a nested stack, this represents its `AWS::CloudFormation::Stack` resource. `undefined` for top-level (non-nested) stacks.
+ node	No	object	No	Same as node	The tree node.
+ notificationArns	No	array of string	No	-	Returns the list of notification Amazon Resource Names (ARNs) for the current stack.
+ parseEnvironment	No	object	No	-	Determine the various stack environment attributes.
+ partition	No	string	No	-	The partition in which this stack is defined
+ permissionsBoundaryArn	No	object	No	-	If a permissions boundary has been applied on this scope or any parent scope then this will return the ARN of the permissions boundary. This will return the permissions boundary that has been applied to the most specific scope. For example: const stage = new Stage(app, 'stage', { permissionsBoundary: PermissionsBoundary.fromName('stage-pb'), }); const stack = new Stack(stage, 'Stack', { permissionsBoundary: PermissionsBoundary.fromName('some-other-pb'), }); Stack.permissionsBoundaryArn === 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/some-other-pb';
+ region	No	string	No	-	The AWS region into which this stack will be deployed (e.g. `us-west-2`). This value is resolved according to the following rules: 1. The value provided to `env.region` when the stack is defined. This can either be a concrete region (e.g. `us-west-2`) or the `Aws.REGION` token. 3. `Aws.REGION`, which is represents the CloudFormation intrinsic reference `{ "Ref": "AWS::Region" }` encoded as a string token. Preferably, you should use the return value as an opaque string and not attempt to parse it to implement your logic. If you do, you must first check that it is a concrete value an not an unresolved token. If this value is an unresolved token (`Token.isUnresolved(stack.region)` returns `true`), this implies that the user wishes that this stack will synthesize into a region-agnostic template. In this case, your code should either fail (throw an error, emit a synth error using `Annotations.of(construct).addError()`) or implement some other region-agnostic behavior.
+ resolveExportedValue	No	object	No	-	-
+ stackDependencyReasons	No	object	No	-	Check whether this stack has a (transitive) dependency on another stack Returns the list of reasons on the dependency path, or undefined if there is no dependency.
+ stackId	No	string	No	-	The ID of the stack
+ stackName	No	string	No	-	The concrete CloudFormation physical stack name. This is either the name defined explicitly in the `stackName` prop or allocated based on the stack's location in the construct tree. Stacks that are directly defined under the app use their construct `id` as their stack name. Stacks that are defined deeper within the tree will use a hashed naming scheme based on the construct path to ensure uniqueness. If you wish to obtain the deploy-time AWS::StackName intrinsic, you can use `Aws.STACK_NAME` directly.
+ synthesizer	No	object	No	In #/definitions/IStackSynthesizer	Synthesis method for this stack
+ tags	No	object	No	In #/definitions/TagManager	Tags to be applied to the stack.
+ templateFile	No	string	No	-	The name of the CloudFormation template file emitted to the output directory during synthesis. Example value: `MyStack.template.json`
+ templateOptions	No	object	No	In #/definitions/ITemplateOptions	Options for CloudFormation template (like version, transform, description).
+ terminationProtection	No	boolean	No	-	Whether termination protection is enabled for this stack.
+ urlSuffix	No	string	No	-	The Amazon domain suffix for the region in which this stack is defined

9.6.7.4.3.6.1.8.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > _crossRegionReferences`


Type	`boolean`
Required	Yes

Description: Whether cross region references are enabled for this stack

9.6.7.4.3.6.1.8.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > _logicalIds`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Logical ID generation strategy

9.6.7.4.3.6.1.8.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > _missingContext`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Lists all missing contextual information. This is returned when the stack is synthesized under the 'missing' attribute and allows tooling to obtain the context and re-synthesize.

9.6.7.4.3.6.1.8.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > _notificationArns`


Type	`array of string`
Required	No

Description: SNS Notification ARNs to receive stack events.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
_notificationArns items	-

9.6.7.4.3.6.1.8.4.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > _notificationArns > _notificationArns items


Type	`string`
Required	No

9.6.7.4.3.6.1.8.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > _stackDependencies`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Other stacks this stack depends on

9.6.7.4.3.6.1.8.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > _stackName`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > _suppressTemplateIndentation`


Type	`object`
Required	Yes
Additional properties	Any type allowed
Default	`"- the value of`@aws-cdk/core:suppressTemplateIndentation`, or`false`if that is not set."`

Description: Enable this flag to suppress indentation in generated CloudFormation templates.

If not specified, the value of the @aws-cdk/core:suppressTemplateIndentation context key will be used. If that is not specified, then the default value false will be used.

9.6.7.4.3.6.1.8.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > _terminationProtection`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.9. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > _versionReportingEnabled`


Type	`boolean`
Required	Yes

Description: Whether version reporting is enabled for this stack

Controls whether the CDK Metadata resource is injected

9.6.7.4.3.6.1.8.10. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > account`


Type	`string`
Required	Yes

Description: The AWS account into which this stack will be deployed.

This value is resolved according to the following rules:

The value provided to env.account when the stack is defined. This can either be a concrete account (e.g. 585695031111) or the Aws.ACCOUNT_ID token.
Aws.ACCOUNT_ID, which represents the CloudFormation intrinsic reference { "Ref": "AWS::AccountId" } encoded as a string token.

Preferably, you should use the return value as an opaque string and not attempt to parse it to implement your logic. If you do, you must first check that it is a concrete value an not an unresolved token. If this value is an unresolved token (Token.isUnresolved(stack.account) returns true), this implies that the user wishes that this stack will synthesize into an account-agnostic template. In this case, your code should either fail (throw an error, emit a synth error using Annotations.of(construct).addError()) or implement some other account-agnostic behavior.

9.6.7.4.3.6.1.8.11. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > addPermissionsBoundaryAspect`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Adds an aspect to the stack that will apply the permissions boundary. This will only add the aspect if the permissions boundary has been set

9.6.7.4.3.6.1.8.12. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > artifactId`


Type	`string`
Required	Yes

Description: The ID of the cloud assembly artifact for this stack.

9.6.7.4.3.6.1.8.13. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > availabilityZones`


Type	`array of string`
Required	Yes

Description: Returns the list of AZs that are available in the AWS environment (account/region) associated with this stack.

If the stack is environment-agnostic (either account and/or region are tokens), this property will return an array with 2 tokens that will resolve at deploy-time to the first two availability zones returned from CloudFormation's Fn::GetAZs intrinsic function.

If they are not available in the context, returns a set of dummy values and reports them as missing, and let the CLI resolve them by calling EC2 DescribeAvailabilityZones on the target environment.

To specify a different strategy for selecting availability zones override this method.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
availabilityZones items	-

9.6.7.4.3.6.1.8.13.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > availabilityZones > availabilityZones items


Type	`string`
Required	No

9.6.7.4.3.6.1.8.14. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > bundlingRequired`


Type	`boolean`
Required	Yes

Description: Indicates whether the stack requires bundling or not

9.6.7.4.3.6.1.8.15. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > dependencies`


Type	`array`
Required	Yes

Description: Return the stacks this stack depends on

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
Stack	A root construct which represents a single CloudFormation stack.

9.6.7.4.3.6.1.8.15.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > dependencies > Stack


Type	`object`
Required	No
Additional properties	Not allowed
Same definition as	stack

Description: A root construct which represents a single CloudFormation stack.

9.6.7.4.3.6.1.8.16. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > environment`


Type	`string`
Required	Yes

Description: The environment coordinates in which this stack is deployed. In the form aws://account/region. Use stack.account and stack.region to obtain the specific values, no need to parse.

You can use this value to determine if two stacks are targeting the same environment.

If either stack.account or stack.region are not concrete values (e.g. Aws.ACCOUNT_ID or Aws.REGION) the special strings unknown-account and/or unknown-region will be used respectively to indicate this stack is region/account-agnostic.

9.6.7.4.3.6.1.8.17. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > generateStackArtifactId`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: The artifact ID for this stack

Stack artifact ID is unique within the App's Cloud Assembly.

9.6.7.4.3.6.1.8.18. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > generateStackId`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Generate an ID with respect to the given container construct.

9.6.7.4.3.6.1.8.19. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > generateStackName`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Calculate the stack name based on the construct path

The stack name is the name under which we'll deploy the stack, and incorporates containing Stage names by default.

Generally this looks a lot like how logical IDs are calculated. The stack name is calculated based on the construct root path, as follows:

Path is calculated with respect to containing App or Stage (if any)
If the path is one component long just use that component, otherwise combine them with a hash.

Since the hash is quite ugly and we'd like to avoid it if possible -- but we can't anymore in the general case since it has been written into legacy stacks. The introduction of Stages makes it possible to make this nicer however. When a Stack is nested inside a Stage, we use the path components below the Stage, and prefix the path components of the Stage before it.

9.6.7.4.3.6.1.8.20. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > maxResources`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Maximum number of resources in the stack

Set to 0 to mean "unlimited".

9.6.7.4.3.6.1.8.21. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nested`


Type	`boolean`
Required	Yes

Description: Indicates if this is a nested stack, in which case parentStack will include a reference to it's parent.

9.6.7.4.3.6.1.8.22. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackParent`


Type	`object`
Required	No
Additional properties	Not allowed
Same definition as	stack

Description: If this is a nested stack, returns it's parent stack.

9.6.7.4.3.6.1.8.23. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/CfnResource

Description: If this is a nested stack, this represents its AWS::CloudFormation::Stack resource. undefined for top-level (non-nested) stacks.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ _cfnProperties	No	object	No	-	AWS CloudFormation resource properties. This object is returned via cfnProperties
- _logicalIdLocked	No	object	No	-	If the logicalId is locked then it can no longer be overridden. This is needed for cases where the logicalId is consumed prior to synthesis (i.e. Stack.exportValue).
- _logicalIdOverride	No	object	No	-	An explicit logical ID provided by `overrideLogicalId`.
+ cfnOptions	No	object	No	In #/definitions/ICfnResourceOptions	Options for this resource, such as condition, update policy etc.
+ cfnProperties	No	object	No	-	-
+ cfnResourceType	No	string	No	-	AWS resource type.
+ creationStack	No	array of string	No	-	-
+ dependsOn	No	object	No	-	Logical IDs of dependencies. Is filled during prepare().
+ logicalId	No	string	No	-	The logical ID for this CloudFormation stack element. The logical ID of the element is calculated from the path of the resource node in the construct tree. To override this value, use `overrideLogicalId(newLogicalId)`.
+ node	No	object	No	Same as node	The tree node.
+ rawOverrides	No	object	No	-	An object to be merged on top of the entire resource definition.
+ ref	No	string	No	-	Return a string that will be resolved to a CloudFormation `{ Ref }` for this element. If, by any chance, the intrinsic reference of a resource is not a string, you could coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
+ stack	No	object	No	Same as stack	The stack in which this element is defined. CfnElements must be defined within a stack scope (directly or indirectly).
+ synthesizeLogicalId	No	object	No	-	Called during synthesize to render the logical ID of this element. If `overrideLogicalId` was it will be used, otherwise, we will allocate the logical ID through the stack.
+ updatedProperites	No	object	No	-	Deprecated
+ updatedProperties	No	object	No	-	Return properties modified after initiation Resources that expose mutable properties should override this function to collect and return the properties object for this resource.

9.6.7.4.3.6.1.8.23.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > _cfnProperties`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: AWS CloudFormation resource properties.

This object is returned via cfnProperties

9.6.7.4.3.6.1.8.23.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > _logicalIdLocked`


Type	`object`
Required	No
Additional properties	Any type allowed

Description: If the logicalId is locked then it can no longer be overridden. This is needed for cases where the logicalId is consumed prior to synthesis (i.e. Stack.exportValue).

9.6.7.4.3.6.1.8.23.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > _logicalIdOverride`


Type	`object`
Required	No
Additional properties	Any type allowed

Description: An explicit logical ID provided by overrideLogicalId.

9.6.7.4.3.6.1.8.23.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/ICfnResourceOptions

Description: Options for this resource, such as condition, update policy etc.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- condition	No	object	No	In #/definitions/CfnCondition	A condition to associate with this resource. This means that only if the condition evaluates to 'true' when the stack is deployed, the resource will be included. This is provided to allow CDK projects to produce legacy templates, but normally there is no need to use it in CDK projects.
- creationPolicy	No	object	No	In #/definitions/CfnCreationPolicy	Associate the CreationPolicy attribute with a resource to prevent its status from reaching create complete until AWS CloudFormation receives a specified number of success signals or the timeout period is exceeded. To signal a resource, you can use the cfn-signal helper script or SignalResource API. AWS CloudFormation publishes valid signals to the stack events so that you track the number of signals sent.
- deletionPolicy	No	enum (of string)	No	-	With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when its stack is deleted. You specify a DeletionPolicy attribute for each resource that you want to control. If a resource has no DeletionPolicy attribute, AWS CloudFormation deletes the resource by default. Note that this capability also applies to update operations that lead to resources being removed.
- description	No	string	No	-	The description of this resource. Used for informational purposes only, is not processed in any way (and stays with the CloudFormation template, is not passed to the underlying resource, even if it does have a 'description' property).
- metadata	No	object	No	-	Metadata associated with the CloudFormation resource. This is not the same as the construct metadata which can be added using construct.addMetadata(), but would not appear in the CloudFormation template automatically.
- updatePolicy	No	object	No	In #/definitions/CfnUpdatePolicy	Use the UpdatePolicy attribute to specify how AWS CloudFormation handles updates to the AWS::AutoScaling::AutoScalingGroup resource. AWS CloudFormation invokes one of three update policies depending on the type of change you make or whether a scheduled action is associated with the Auto Scaling group.
- updateReplacePolicy	No	enum (of string)	No	-	Use the UpdateReplacePolicy attribute to retain or (in some cases) backup the existing physical instance of a resource when it is replaced during a stack update operation.
- version	No	string	No	-	The version of this resource. Used only for custom CloudFormation resources.

9.6.7.4.3.6.1.8.23.4.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > condition`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/CfnCondition

Description: A condition to associate with this resource. This means that only if the condition evaluates to 'true' when the stack is deployed, the resource will be included. This is provided to allow CDK projects to produce legacy templates, but normally there is no need to use it in CDK projects.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- _logicalIdLocked	No	object	No	-	If the logicalId is locked then it can no longer be overridden. This is needed for cases where the logicalId is consumed prior to synthesis (i.e. Stack.exportValue).
- _logicalIdOverride	No	object	No	-	An explicit logical ID provided by `overrideLogicalId`.
+ creationStack	No	array of string	No	-	-
- expression	No	object	No	In #/definitions/ICfnConditionExpression	The condition statement.
+ logicalId	No	string	No	-	The logical ID for this CloudFormation stack element. The logical ID of the element is calculated from the path of the resource node in the construct tree. To override this value, use `overrideLogicalId(newLogicalId)`.
+ node	No	object	No	Same as node	The tree node.
+ stack	No	object	No	Same as stack	The stack in which this element is defined. CfnElements must be defined within a stack scope (directly or indirectly).
+ synthesizeLogicalId	No	object	No	-	Called during synthesize to render the logical ID of this element. If `overrideLogicalId` was it will be used, otherwise, we will allocate the logical ID through the stack.

9.6.7.4.3.6.1.8.23.4.1.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > condition > _logicalIdLocked`


Type	`object`
Required	No
Additional properties	Any type allowed

Description: If the logicalId is locked then it can no longer be overridden. This is needed for cases where the logicalId is consumed prior to synthesis (i.e. Stack.exportValue).

9.6.7.4.3.6.1.8.23.4.1.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > condition > _logicalIdOverride`


Type	`object`
Required	No
Additional properties	Any type allowed

Description: An explicit logical ID provided by overrideLogicalId.

9.6.7.4.3.6.1.8.23.4.1.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > condition > creationStack`


Type	`array of string`
Required	Yes

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
creationStack items	-

9.6.7.4.3.6.1.8.23.4.1.3.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > condition > creationStack > creationStack items


Type	`string`
Required	No

9.6.7.4.3.6.1.8.23.4.1.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > condition > expression`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/ICfnConditionExpression

Description: The condition statement.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ creationStack	No	array of string	No	-	The creation stack of this resolvable which will be appended to errors thrown during resolution. This may return an array with a single informational element indicating how to get this property populated, if it was skipped for performance reasons.
- typeHint	No	enum (of string)	No	-	The type that this token will likely resolve to.

9.6.7.4.3.6.1.8.23.4.1.4.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > condition > expression > creationStack`


Type	`array of string`
Required	Yes

Description: The creation stack of this resolvable which will be appended to errors thrown during resolution.

This may return an array with a single informational element indicating how to get this property populated, if it was skipped for performance reasons.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
creationStack items	-

9.6.7.4.3.6.1.8.23.4.1.4.1.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > condition > expression > creationStack > creationStack items


Type	`string`
Required	No

9.6.7.4.3.6.1.8.23.4.1.4.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > condition > expression > typeHint`


Type	`enum (of string)`
Required	No

Description: The type that this token will likely resolve to.

Must be one of: * "number" * "string" * "string-list"

9.6.7.4.3.6.1.8.23.4.1.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > condition > logicalId`


Type	`string`
Required	Yes

Description: The logical ID for this CloudFormation stack element. The logical ID of the element is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

9.6.7.4.3.6.1.8.23.4.1.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > condition > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.3.6.1.8.23.4.1.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > condition > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this element is defined. CfnElements must be defined within a stack scope (directly or indirectly).

9.6.7.4.3.6.1.8.23.4.1.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > condition > synthesizeLogicalId`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Called during synthesize to render the logical ID of this element. If overrideLogicalId was it will be used, otherwise, we will allocate the logical ID through the stack.

9.6.7.4.3.6.1.8.23.4.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > creationPolicy`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/CfnCreationPolicy

Description: Associate the CreationPolicy attribute with a resource to prevent its status from reaching create complete until AWS CloudFormation receives a specified number of success signals or the timeout period is exceeded. To signal a resource, you can use the cfn-signal helper script or SignalResource API. AWS CloudFormation publishes valid signals to the stack events so that you track the number of signals sent.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- autoScalingCreationPolicy	No	object	No	In #/definitions/CfnResourceAutoScalingCreationPolicy	For an Auto Scaling group replacement update, specifies how many instances must signal success for the update to succeed.
- resourceSignal	No	object	No	In #/definitions/CfnResourceSignal	When AWS CloudFormation creates the associated resource, configures the number of required success signals and the length of time that AWS CloudFormation waits for those signals.
- startFleet	No	boolean	No	-	For an AppStream Fleet creation, specifies that the fleet is started after creation.

9.6.7.4.3.6.1.8.23.4.2.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > creationPolicy > autoScalingCreationPolicy`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/CfnResourceAutoScalingCreationPolicy

Description: For an Auto Scaling group replacement update, specifies how many instances must signal success for the update to succeed.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- minSuccessfulInstancesPercent	No	number	No	-	Specifies the percentage of instances in an Auto Scaling replacement update that must signal success for the update to succeed. You can specify a value from 0 to 100. AWS CloudFormation rounds to the nearest tenth of a percent. For example, if you update five instances with a minimum successful percentage of 50, three instances must signal success. If an instance doesn't send a signal within the time specified by the Timeout property, AWS CloudFormation assumes that the instance wasn't created.

9.6.7.4.3.6.1.8.23.4.2.1.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > creationPolicy > autoScalingCreationPolicy > minSuccessfulInstancesPercent`


Type	`number`
Required	No

Description: Specifies the percentage of instances in an Auto Scaling replacement update that must signal success for the update to succeed. You can specify a value from 0 to 100. AWS CloudFormation rounds to the nearest tenth of a percent. For example, if you update five instances with a minimum successful percentage of 50, three instances must signal success. If an instance doesn't send a signal within the time specified by the Timeout property, AWS CloudFormation assumes that the instance wasn't created.

9.6.7.4.3.6.1.8.23.4.2.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > creationPolicy > resourceSignal`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/CfnResourceSignal

Description: When AWS CloudFormation creates the associated resource, configures the number of required success signals and the length of time that AWS CloudFormation waits for those signals.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- count	No	number	No	-	The number of success signals AWS CloudFormation must receive before it sets the resource status as CREATE_COMPLETE. If the resource receives a failure signal or doesn't receive the specified number of signals before the timeout period expires, the resource creation fails and AWS CloudFormation rolls the stack back.
- timeout	No	string	No	-	The length of time that AWS CloudFormation waits for the number of signals that was specified in the Count property. The timeout period starts after AWS CloudFormation starts creating the resource, and the timeout expires no sooner than the time you specify but can occur shortly thereafter. The maximum time that you can specify is 12 hours.

9.6.7.4.3.6.1.8.23.4.2.2.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > creationPolicy > resourceSignal > count`


Type	`number`
Required	No

Description: The number of success signals AWS CloudFormation must receive before it sets the resource status as CREATE_COMPLETE. If the resource receives a failure signal or doesn't receive the specified number of signals before the timeout period expires, the resource creation fails and AWS CloudFormation rolls the stack back.

9.6.7.4.3.6.1.8.23.4.2.2.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > creationPolicy > resourceSignal > timeout`


Type	`string`
Required	No

Description: The length of time that AWS CloudFormation waits for the number of signals that was specified in the Count property. The timeout period starts after AWS CloudFormation starts creating the resource, and the timeout expires no sooner than the time you specify but can occur shortly thereafter. The maximum time that you can specify is 12 hours.

9.6.7.4.3.6.1.8.23.4.2.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > creationPolicy > startFleet`


Type	`boolean`
Required	No

Description: For an AppStream Fleet creation, specifies that the fleet is started after creation.

9.6.7.4.3.6.1.8.23.4.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > deletionPolicy`


Type	`enum (of string)`
Required	No

Description: With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when its stack is deleted. You specify a DeletionPolicy attribute for each resource that you want to control. If a resource has no DeletionPolicy attribute, AWS CloudFormation deletes the resource by default. Note that this capability also applies to update operations that lead to resources being removed.

Must be one of: * "Delete" * "Retain" * "RetainExceptOnCreate" * "Snapshot"

9.6.7.4.3.6.1.8.23.4.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > description`


Type	`string`
Required	No

Description: The description of this resource. Used for informational purposes only, is not processed in any way (and stays with the CloudFormation template, is not passed to the underlying resource, even if it does have a 'description' property).

9.6.7.4.3.6.1.8.23.4.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > metadata`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Description: Metadata associated with the CloudFormation resource. This is not the same as the construct metadata which can be added using construct.addMetadata(), but would not appear in the CloudFormation template automatically.

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	-	-

9.6.7.4.3.6.1.8.23.4.5.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > metadata > additionalProperties`


Type	`object`
Required	No
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.23.4.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/CfnUpdatePolicy

Description: Use the UpdatePolicy attribute to specify how AWS CloudFormation handles updates to the AWS::AutoScaling::AutoScalingGroup resource. AWS CloudFormation invokes one of three update policies depending on the type of change you make or whether a scheduled action is associated with the Auto Scaling group.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- autoScalingReplacingUpdate	No	object	No	In #/definitions/CfnAutoScalingReplacingUpdate	Specifies whether an Auto Scaling group and the instances it contains are replaced during an update. During replacement, AWS CloudFormation retains the old group until it finishes creating the new one. If the update fails, AWS CloudFormation can roll back to the old Auto Scaling group and delete the new Auto Scaling group.
- autoScalingRollingUpdate	No	object	No	In #/definitions/CfnAutoScalingRollingUpdate	To specify how AWS CloudFormation handles rolling updates for an Auto Scaling group, use the AutoScalingRollingUpdate policy. Rolling updates enable you to specify whether AWS CloudFormation updates instances that are in an Auto Scaling group in batches or all at once.
- autoScalingScheduledAction	No	object	No	In #/definitions/CfnAutoScalingScheduledAction	To specify how AWS CloudFormation handles updates for the MinSize, MaxSize, and DesiredCapacity properties when the AWS::AutoScaling::AutoScalingGroup resource has an associated scheduled action, use the AutoScalingScheduledAction policy.
- codeDeployLambdaAliasUpdate	No	object	No	In #/definitions/CfnCodeDeployLambdaAliasUpdate	To perform an AWS CodeDeploy deployment when the version changes on an AWS::Lambda::Alias resource, use the CodeDeployLambdaAliasUpdate update policy.
- enableVersionUpgrade	No	boolean	No	-	To upgrade an Amazon ES domain to a new version of Elasticsearch rather than replacing the entire AWS::Elasticsearch::Domain resource, use the EnableVersionUpgrade update policy.
- useOnlineResharding	No	boolean	No	-	To modify a replication group's shards by adding or removing shards, rather than replacing the entire AWS::ElastiCache::ReplicationGroup resource, use the UseOnlineResharding update policy.

9.6.7.4.3.6.1.8.23.4.6.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > autoScalingReplacingUpdate`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/CfnAutoScalingReplacingUpdate

Description: Specifies whether an Auto Scaling group and the instances it contains are replaced during an update. During replacement, AWS CloudFormation retains the old group until it finishes creating the new one. If the update fails, AWS CloudFormation can roll back to the old Auto Scaling group and delete the new Auto Scaling group.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- willReplace	No	boolean	No	-	-

9.6.7.4.3.6.1.8.23.4.6.1.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > autoScalingReplacingUpdate > willReplace`


Type	`boolean`
Required	No

9.6.7.4.3.6.1.8.23.4.6.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > autoScalingRollingUpdate`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/CfnAutoScalingRollingUpdate

Description: To specify how AWS CloudFormation handles rolling updates for an Auto Scaling group, use the AutoScalingRollingUpdate policy. Rolling updates enable you to specify whether AWS CloudFormation updates instances that are in an Auto Scaling group in batches or all at once.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- maxBatchSize	No	number	No	-	Specifies the maximum number of instances that AWS CloudFormation updates.
- minActiveInstancesPercent	No	number	No	-	Specifies the percentage of instances in an Auto Scaling group that must remain in service while AWS CloudFormation updates old instances. You can specify a value from 0 to 100. AWS CloudFormation rounds to the nearest tenth of a percent. For example, if you update five instances with a minimum active percentage of 50, three instances must remain in service.
- minInstancesInService	No	number	No	-	Specifies the minimum number of instances that must be in service within the Auto Scaling group while AWS CloudFormation updates old instances.
- minSuccessfulInstancesPercent	No	number	No	-	Specifies the percentage of instances in an Auto Scaling rolling update that must signal success for an update to succeed. You can specify a value from 0 to 100. AWS CloudFormation rounds to the nearest tenth of a percent. For example, if you update five instances with a minimum successful percentage of 50, three instances must signal success. If an instance doesn't send a signal within the time specified in the PauseTime property, AWS CloudFormation assumes that the instance wasn't updated. If you specify this property, you must also enable the WaitOnResourceSignals and PauseTime properties.
- pauseTime	No	string	No	-	The amount of time that AWS CloudFormation pauses after making a change to a batch of instances to give those instances time to start software applications. For example, you might need to specify PauseTime when scaling up the number of instances in an Auto Scaling group. If you enable the WaitOnResourceSignals property, PauseTime is the amount of time that AWS CloudFormation should wait for the Auto Scaling group to receive the required number of valid signals from added or replaced instances. If the PauseTime is exceeded before the Auto Scaling group receives the required number of signals, the update fails. For best results, specify a time period that gives your applications sufficient time to get started. If the update needs to be rolled back, a short PauseTime can cause the rollback to fail. Specify PauseTime in the ISO8601 duration format (in the format PT#H#M#S, where each # is the number of hours, minutes, and seconds, respectively). The maximum PauseTime is one hour (PT1H).
- suspendProcesses	No	array of string	No	-	Specifies the Auto Scaling processes to suspend during a stack update. Suspending processes prevents Auto Scaling from interfering with a stack update. For example, you can suspend alarming so that Auto Scaling doesn't execute scaling policies associated with an alarm. For valid values, see the ScalingProcesses.member.N parameter for the SuspendProcesses action in the Auto Scaling API Reference.
- waitOnResourceSignals	No	boolean	No	-	Specifies whether the Auto Scaling group waits on signals from new instances during an update. Use this property to ensure that instances have completed installing and configuring applications before the Auto Scaling group update proceeds. AWS CloudFormation suspends the update of an Auto Scaling group after new EC2 instances are launched into the group. AWS CloudFormation must receive a signal from each new instance within the specified PauseTime before continuing the update. To signal the Auto Scaling group, use the cfn-signal helper script or SignalResource API. To have instances wait for an Elastic Load Balancing health check before they signal success, add a health-check verification by using the cfn-init helper script. For an example, see the verify_instance_health command in the Auto Scaling rolling updates sample template.

9.6.7.4.3.6.1.8.23.4.6.2.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > autoScalingRollingUpdate > maxBatchSize`


Type	`number`
Required	No

Description: Specifies the maximum number of instances that AWS CloudFormation updates.

9.6.7.4.3.6.1.8.23.4.6.2.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > autoScalingRollingUpdate > minActiveInstancesPercent`


Type	`number`
Required	No

Description: Specifies the percentage of instances in an Auto Scaling group that must remain in service while AWS CloudFormation updates old instances. You can specify a value from 0 to 100. AWS CloudFormation rounds to the nearest tenth of a percent. For example, if you update five instances with a minimum active percentage of 50, three instances must remain in service.

9.6.7.4.3.6.1.8.23.4.6.2.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > autoScalingRollingUpdate > minInstancesInService`


Type	`number`
Required	No

Description: Specifies the minimum number of instances that must be in service within the Auto Scaling group while AWS CloudFormation updates old instances.

9.6.7.4.3.6.1.8.23.4.6.2.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > autoScalingRollingUpdate > minSuccessfulInstancesPercent`


Type	`number`
Required	No

Description: Specifies the percentage of instances in an Auto Scaling rolling update that must signal success for an update to succeed. You can specify a value from 0 to 100. AWS CloudFormation rounds to the nearest tenth of a percent. For example, if you update five instances with a minimum successful percentage of 50, three instances must signal success.

If an instance doesn't send a signal within the time specified in the PauseTime property, AWS CloudFormation assumes that the instance wasn't updated.

If you specify this property, you must also enable the WaitOnResourceSignals and PauseTime properties.

9.6.7.4.3.6.1.8.23.4.6.2.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > autoScalingRollingUpdate > pauseTime`


Type	`string`
Required	No

Description: The amount of time that AWS CloudFormation pauses after making a change to a batch of instances to give those instances time to start software applications. For example, you might need to specify PauseTime when scaling up the number of instances in an Auto Scaling group.

If you enable the WaitOnResourceSignals property, PauseTime is the amount of time that AWS CloudFormation should wait for the Auto Scaling group to receive the required number of valid signals from added or replaced instances. If the PauseTime is exceeded before the Auto Scaling group receives the required number of signals, the update fails. For best results, specify a time period that gives your applications sufficient time to get started. If the update needs to be rolled back, a short PauseTime can cause the rollback to fail.

Specify PauseTime in the ISO8601 duration format (in the format PT#H#M#S, where each # is the number of hours, minutes, and seconds, respectively). The maximum PauseTime is one hour (PT1H).

9.6.7.4.3.6.1.8.23.4.6.2.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > autoScalingRollingUpdate > suspendProcesses`


Type	`array of string`
Required	No

Description: Specifies the Auto Scaling processes to suspend during a stack update. Suspending processes prevents Auto Scaling from interfering with a stack update. For example, you can suspend alarming so that Auto Scaling doesn't execute scaling policies associated with an alarm. For valid values, see the ScalingProcesses.member.N parameter for the SuspendProcesses action in the Auto Scaling API Reference.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
suspendProcesses items	-

9.6.7.4.3.6.1.8.23.4.6.2.6.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > autoScalingRollingUpdate > suspendProcesses > suspendProcesses items


Type	`string`
Required	No

9.6.7.4.3.6.1.8.23.4.6.2.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > autoScalingRollingUpdate > waitOnResourceSignals`


Type	`boolean`
Required	No

Description: Specifies whether the Auto Scaling group waits on signals from new instances during an update. Use this property to ensure that instances have completed installing and configuring applications before the Auto Scaling group update proceeds. AWS CloudFormation suspends the update of an Auto Scaling group after new EC2 instances are launched into the group. AWS CloudFormation must receive a signal from each new instance within the specified PauseTime before continuing the update. To signal the Auto Scaling group, use the cfn-signal helper script or SignalResource API.

To have instances wait for an Elastic Load Balancing health check before they signal success, add a health-check verification by using the cfn-init helper script. For an example, see the verify_instance_health command in the Auto Scaling rolling updates sample template.

9.6.7.4.3.6.1.8.23.4.6.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > autoScalingScheduledAction`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/CfnAutoScalingScheduledAction

Description: To specify how AWS CloudFormation handles updates for the MinSize, MaxSize, and DesiredCapacity properties when the AWS::AutoScaling::AutoScalingGroup resource has an associated scheduled action, use the AutoScalingScheduledAction policy.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- ignoreUnmodifiedGroupSizeProperties	No	boolean	No	-	-

9.6.7.4.3.6.1.8.23.4.6.3.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > autoScalingScheduledAction > ignoreUnmodifiedGroupSizeProperties`


Type	`boolean`
Required	No

9.6.7.4.3.6.1.8.23.4.6.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > codeDeployLambdaAliasUpdate`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/CfnCodeDeployLambdaAliasUpdate

Description: To perform an AWS CodeDeploy deployment when the version changes on an AWS::Lambda::Alias resource, use the CodeDeployLambdaAliasUpdate update policy.

Property	Pattern	Type	Deprecated	Definition	Title/Description
- afterAllowTrafficHook	No	string	No	-	The name of the Lambda function to run after traffic routing completes.
+ applicationName	No	string	No	-	The name of the AWS CodeDeploy application.
- beforeAllowTrafficHook	No	string	No	-	The name of the Lambda function to run before traffic routing starts.
+ deploymentGroupName	No	string	No	-	The name of the AWS CodeDeploy deployment group. This is where the traffic-shifting policy is set.

9.6.7.4.3.6.1.8.23.4.6.4.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > codeDeployLambdaAliasUpdate > afterAllowTrafficHook`


Type	`string`
Required	No

Description: The name of the Lambda function to run after traffic routing completes.

9.6.7.4.3.6.1.8.23.4.6.4.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > codeDeployLambdaAliasUpdate > applicationName`


Type	`string`
Required	Yes

Description: The name of the AWS CodeDeploy application.

9.6.7.4.3.6.1.8.23.4.6.4.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > codeDeployLambdaAliasUpdate > beforeAllowTrafficHook`


Type	`string`
Required	No

Description: The name of the Lambda function to run before traffic routing starts.

9.6.7.4.3.6.1.8.23.4.6.4.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > codeDeployLambdaAliasUpdate > deploymentGroupName`


Type	`string`
Required	Yes

Description: The name of the AWS CodeDeploy deployment group. This is where the traffic-shifting policy is set.

9.6.7.4.3.6.1.8.23.4.6.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > enableVersionUpgrade`


Type	`boolean`
Required	No

Description: To upgrade an Amazon ES domain to a new version of Elasticsearch rather than replacing the entire AWS::Elasticsearch::Domain resource, use the EnableVersionUpgrade update policy.

9.6.7.4.3.6.1.8.23.4.6.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updatePolicy > useOnlineResharding`


Type	`boolean`
Required	No

Description: To modify a replication group's shards by adding or removing shards, rather than replacing the entire AWS::ElastiCache::ReplicationGroup resource, use the UseOnlineResharding update policy.

9.6.7.4.3.6.1.8.23.4.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > updateReplacePolicy`


Type	`enum (of string)`
Required	No

Description: Use the UpdateReplacePolicy attribute to retain or (in some cases) backup the existing physical instance of a resource when it is replaced during a stack update operation.

Must be one of: * "Delete" * "Retain" * "RetainExceptOnCreate" * "Snapshot"

9.6.7.4.3.6.1.8.23.4.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnOptions > version`


Type	`string`
Required	No

Description: The version of this resource. Used only for custom CloudFormation resources.

9.6.7.4.3.6.1.8.23.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnProperties`


Type	`object`
Required	Yes
Additional properties	Each additional property must conform to the schema

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	-	-

9.6.7.4.3.6.1.8.23.5.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnProperties > additionalProperties`


Type	`object`
Required	No
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.23.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > cfnResourceType`


Type	`string`
Required	Yes

Description: AWS resource type.

9.6.7.4.3.6.1.8.23.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > creationStack`


Type	`array of string`
Required	Yes

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
creationStack items	-

9.6.7.4.3.6.1.8.23.7.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > creationStack > creationStack items


Type	`string`
Required	No

9.6.7.4.3.6.1.8.23.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > dependsOn`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Logical IDs of dependencies.

Is filled during prepare().

9.6.7.4.3.6.1.8.23.9. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > logicalId`


Type	`string`
Required	Yes

Description: The logical ID for this CloudFormation stack element. The logical ID of the element is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

9.6.7.4.3.6.1.8.23.10. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.3.6.1.8.23.11. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > rawOverrides`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: An object to be merged on top of the entire resource definition.

9.6.7.4.3.6.1.8.23.12. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > ref`


Type	`string`
Required	Yes

Description: Return a string that will be resolved to a CloudFormation { Ref } for this element.

If, by any chance, the intrinsic reference of a resource is not a string, you could coerce it to an IResolvable through Lazy.any({ produce: resource.ref }).

9.6.7.4.3.6.1.8.23.13. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this element is defined. CfnElements must be defined within a stack scope (directly or indirectly).

9.6.7.4.3.6.1.8.23.14. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > synthesizeLogicalId`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Called during synthesize to render the logical ID of this element. If overrideLogicalId was it will be used, otherwise, we will allocate the logical ID through the stack.

9.6.7.4.3.6.1.8.23.15. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > updatedProperites`


Type	`object`
Required	Yes
Additional properties	Each additional property must conform to the schema

Description: Deprecated

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	-	-

9.6.7.4.3.6.1.8.23.15.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > updatedProperites > additionalProperties`


Type	`object`
Required	No
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.23.16. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > updatedProperties`


Type	`object`
Required	Yes
Additional properties	Each additional property must conform to the schema

Description: Return properties modified after initiation

Resources that expose mutable properties should override this function to collect and return the properties object for this resource.

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	-	-

9.6.7.4.3.6.1.8.23.16.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > nestedStackResource > updatedProperties > additionalProperties`


Type	`object`
Required	No
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.24. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.3.6.1.8.25. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > notificationArns`


Type	`array of string`
Required	Yes

Description: Returns the list of notification Amazon Resource Names (ARNs) for the current stack.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
notificationArns items	-

9.6.7.4.3.6.1.8.25.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > notificationArns > notificationArns items


Type	`string`
Required	No

9.6.7.4.3.6.1.8.26. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > parseEnvironment`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Determine the various stack environment attributes.

9.6.7.4.3.6.1.8.27. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > partition`


Type	`string`
Required	Yes

Description: The partition in which this stack is defined

9.6.7.4.3.6.1.8.28. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > permissionsBoundaryArn`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: If a permissions boundary has been applied on this scope or any parent scope then this will return the ARN of the permissions boundary.

This will return the permissions boundary that has been applied to the most specific scope.

For example:

const stage = new Stage(app, 'stage', { permissionsBoundary: PermissionsBoundary.fromName('stage-pb'), });

const stack = new Stack(stage, 'Stack', { permissionsBoundary: PermissionsBoundary.fromName('some-other-pb'), });

Stack.permissionsBoundaryArn === 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/some-other-pb';

9.6.7.4.3.6.1.8.29. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > region`


Type	`string`
Required	Yes

Description: The AWS region into which this stack will be deployed (e.g. us-west-2).

This value is resolved according to the following rules:

The value provided to env.region when the stack is defined. This can either be a concrete region (e.g. us-west-2) or the Aws.REGION token.
Aws.REGION, which is represents the CloudFormation intrinsic reference { "Ref": "AWS::Region" } encoded as a string token.

Preferably, you should use the return value as an opaque string and not attempt to parse it to implement your logic. If you do, you must first check that it is a concrete value an not an unresolved token. If this value is an unresolved token (Token.isUnresolved(stack.region) returns true), this implies that the user wishes that this stack will synthesize into a region-agnostic template. In this case, your code should either fail (throw an error, emit a synth error using Annotations.of(construct).addError()) or implement some other region-agnostic behavior.

9.6.7.4.3.6.1.8.30. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > resolveExportedValue`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.31. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > stackDependencyReasons`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Check whether this stack has a (transitive) dependency on another stack

Returns the list of reasons on the dependency path, or undefined if there is no dependency.

9.6.7.4.3.6.1.8.32. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > stackId`


Type	`string`
Required	Yes

Description: The ID of the stack

9.6.7.4.3.6.1.8.33. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > stackName`


Type	`string`
Required	Yes

Description: The concrete CloudFormation physical stack name.

This is either the name defined explicitly in the stackName prop or allocated based on the stack's location in the construct tree. Stacks that are directly defined under the app use their construct id as their stack name. Stacks that are defined deeper within the tree will use a hashed naming scheme based on the construct path to ensure uniqueness.

If you wish to obtain the deploy-time AWS::StackName intrinsic, you can use Aws.STACK_NAME directly.

9.6.7.4.3.6.1.8.34. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > synthesizer`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/IStackSynthesizer

Description: Synthesis method for this stack

Property	Pattern	Type	Deprecated	Definition	Title/Description
- bootstrapQualifier	No	string	No	-	The qualifier used to bootstrap this stack
- lookupRole	No	string	No	-	The role used to lookup for this stack

9.6.7.4.3.6.1.8.34.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > synthesizer > bootstrapQualifier`


Type	`string`
Required	No
Default	`"- no qualifier"`

Description: The qualifier used to bootstrap this stack

9.6.7.4.3.6.1.8.34.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > synthesizer > lookupRole`


Type	`string`
Required	No
Default	`"- no role"`

Description: The role used to lookup for this stack

9.6.7.4.3.6.1.8.35. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/TagManager

Description: Tags to be applied to the stack.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ _setTag	No	object	No	-	-
+ didHaveInitialTags	No	object	No	-	-
- dynamicTags	No	object	No	-	-
+ externalTagPriority	No	object	No	-	-
+ parseExternalTags	No	object	No	-	Parse external tags. Set the parseable ones into this tag manager. Save the rest (tokens, lazies) in `this.dynamicTags`.
+ priorities	No	object	No	-	-
+ renderedTags	No	object	No	In #/definitions/IResolvable	A lazy value that represents the rendered tags at synthesis time If you need to make a custom construct taggable, use the value of this property to pass to the `tags` property of the underlying construct.
+ resourceTypeName	No	object	No	-	-
+ sortedTags	No	object	No	-	-
+ tagFormatter	No	object	No	-	-
+ tagPropertyName	No	string	No	-	The property name for tag values Normally this is `tags` but some resources choose a different name. Cognito UserPool uses UserPoolTags
+ tags	No	object	No	-	-

9.6.7.4.3.6.1.8.35.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > _setTag`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.35.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > didHaveInitialTags`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.35.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > dynamicTags`


Type	`object`
Required	No
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.35.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > externalTagPriority`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.35.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > parseExternalTags`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Parse external tags.

Set the parseable ones into this tag manager. Save the rest (tokens, lazies) in this.dynamicTags.

9.6.7.4.3.6.1.8.35.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > priorities`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.35.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > renderedTags`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/IResolvable

Description: A lazy value that represents the rendered tags at synthesis time

If you need to make a custom construct taggable, use the value of this property to pass to the tags property of the underlying construct.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ creationStack	No	array of string	No	-	The creation stack of this resolvable which will be appended to errors thrown during resolution. This may return an array with a single informational element indicating how to get this property populated, if it was skipped for performance reasons.
- typeHint	No	enum (of string)	No	-	The type that this token will likely resolve to.

9.6.7.4.3.6.1.8.35.7.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > renderedTags > creationStack`


Type	`array of string`
Required	Yes

Description: The creation stack of this resolvable which will be appended to errors thrown during resolution.

This may return an array with a single informational element indicating how to get this property populated, if it was skipped for performance reasons.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
creationStack items	-

9.6.7.4.3.6.1.8.35.7.1.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > renderedTags > creationStack > creationStack items


Type	`string`
Required	No

9.6.7.4.3.6.1.8.35.7.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > renderedTags > typeHint`


Type	`enum (of string)`
Required	No

Description: The type that this token will likely resolve to.

Must be one of: * "number" * "string" * "string-list"

9.6.7.4.3.6.1.8.35.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > resourceTypeName`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.35.9. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > sortedTags`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.35.10. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > tagFormatter`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.35.11. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > tagPropertyName`


Type	`string`
Required	Yes

Description: The property name for tag values

Normally this is tags but some resources choose a different name. Cognito UserPool uses UserPoolTags

9.6.7.4.3.6.1.8.35.12. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > tags > tags`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.36. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > templateFile`


Type	`string`
Required	Yes

Description: The name of the CloudFormation template file emitted to the output directory during synthesis.

Example value: MyStack.template.json

9.6.7.4.3.6.1.8.37. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > templateOptions`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/ITemplateOptions

Description: Options for CloudFormation template (like version, transform, description).

Property	Pattern	Type	Deprecated	Definition	Title/Description
- description	No	string	No	-	Gets or sets the description of this stack. If provided, it will be included in the CloudFormation template's "Description" attribute.
- metadata	No	object	No	-	Metadata associated with the CloudFormation template.
- templateFormatVersion	No	string	No	-	Gets or sets the AWSTemplateFormatVersion field of the CloudFormation template.
- transforms	No	array of string	No	-	Gets or sets the top-level template transform(s) for this stack (e.g. `["AWS::Serverless-2016-10-31"]`).

9.6.7.4.3.6.1.8.37.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > templateOptions > description`


Type	`string`
Required	No

Description: Gets or sets the description of this stack. If provided, it will be included in the CloudFormation template's "Description" attribute.

9.6.7.4.3.6.1.8.37.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > templateOptions > metadata`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Description: Metadata associated with the CloudFormation template.

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	-	-

9.6.7.4.3.6.1.8.37.2.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > templateOptions > metadata > additionalProperties`


Type	`object`
Required	No
Additional properties	Any type allowed

9.6.7.4.3.6.1.8.37.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > templateOptions > templateFormatVersion`


Type	`string`
Required	No

Description: Gets or sets the AWSTemplateFormatVersion field of the CloudFormation template.

9.6.7.4.3.6.1.8.37.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > templateOptions > transforms`


Type	`array of string`
Required	No

Description: Gets or sets the top-level template transform(s) for this stack (e.g. ["AWS::Serverless-2016-10-31"]).

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
transforms items	-

9.6.7.4.3.6.1.8.37.4.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > templateOptions > transforms > transforms items


Type	`string`
Required	No

9.6.7.4.3.6.1.8.38. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > terminationProtection`


Type	`boolean`
Required	Yes

Description: Whether termination protection is enabled for this stack.

9.6.7.4.3.6.1.8.39. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > stack > urlSuffix`


Type	`string`
Required	Yes

Description: The Amazon domain suffix for the region in which this stack is defined

9.6.7.4.3.6.1.9. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > securityGroups > securityGroups items > uniqueId`


Type	`string`
Required	Yes

Description: A unique identifier for this connection peer

9.6.7.4.3.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _connections > skip`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: When doing bidirectional grants between Connections, make sure we don't recursive infinitely

9.6.7.4.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _currentVersion`


Type	`object`
Required	No
Additional properties	Any type allowed

9.6.7.4.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _functionUrlInvocationGrants`


Type	`object`
Required	Yes
Additional properties	Any type allowed
Defined in	#/definitions/Record%3Cstring%2CGrant%3E

Description: Mapping of function URL invocation principals to grants. Used to de-dupe grantInvokeUrl() calls.

9.6.7.4.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _hasAddedArrayTokenStatements`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Track whether we've added statements with array token resources to the role's default policy

9.6.7.4.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _hasAddedLiteralStatements`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Track whether we've added statements with literal resources to the role's default policy

9.6.7.4.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _invocationGrants`


Type	`object`
Required	Yes
Additional properties	Any type allowed
Same definition as	_functionUrlInvocationGrants

Description: Mapping of invocation principals to grants. Used to de-dupe grantInvoke() calls.

9.6.7.4.9. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _latestVersion`


Type	`object`
Required	No
Additional properties	Any type allowed

9.6.7.4.10. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers`


Type	`array`
Required	Yes

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
ILayerVersion	-

9.6.7.4.10.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > ILayerVersion


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/ILayerVersion

Property	Pattern	Type	Deprecated	Definition	Title/Description
- compatibleRuntimes	No	array	No	-	The runtimes compatible with this Layer.
+ env	No	object	No	Same as env	The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
+ layerVersionArn	No	string	No	-	The ARN of the Lambda Layer version that this Layer defines.
+ layerVersionRef	No	object	No	In #/definitions/LayerVersionReference	A reference to a LayerVersion resource.
+ node	No	object	No	Same as node	The tree node.
+ stack	No	object	No	Same as stack	The stack in which this resource is defined.

9.6.7.4.10.1.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > compatibleRuntimes`


Type	`array`
Required	No
Default	`"- All supported runtimes. Setting this to Runtime.ALL is equivalent to leaving it undefined."`

Description: The runtimes compatible with this Layer.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
Runtime	Lambda function runtime environment. ...

9.6.7.4.10.1.1.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > compatibleRuntimes > Runtime


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/Runtime

Description: Lambda function runtime environment.

If you need to use a runtime name that doesn't exist as a static member, you can instantiate a Runtime object, e.g: new Runtime('nodejs99.99').

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ bundlingImage	No	object	No	In #/definitions/DockerImage	The bundling Docker image for this runtime.
- family	No	enum (of integer)	No	-	The runtime family.
+ isVariable	No	boolean	No	-	Enabled for runtime enums that always target the latest available.
+ name	No	string	No	-	The name of this runtime, as expected by the Lambda resource.
+ supportsCodeGuruProfiling	No	boolean	No	-	Whether this runtime is integrated with and supported for profiling using Amazon CodeGuru Profiler.
+ supportsInlineCode	No	boolean	No	-	Whether the ``ZipFile`` (aka inline code) property can be used with this runtime.
+ supportsSnapStart	No	boolean	No	-	Whether this runtime supports snapstart.

9.6.7.4.10.1.1.1.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > compatibleRuntimes > compatibleRuntimes items > bundlingImage`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/DockerImage

Description: The bundling Docker image for this runtime.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ image	No	string	No	-	The Docker image

9.6.7.4.10.1.1.1.1.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > compatibleRuntimes > compatibleRuntimes items > bundlingImage > image`


Type	`string`
Required	Yes

Description: The Docker image

9.6.7.4.10.1.1.1.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > compatibleRuntimes > compatibleRuntimes items > family`


Type	`enum (of integer)`
Required	No

Description: The runtime family.

Must be one of: * 0 * 1 * 2 * 3 * 4 * 5 * 6

9.6.7.4.10.1.1.1.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > compatibleRuntimes > compatibleRuntimes items > isVariable`


Type	`boolean`
Required	Yes

Description: Enabled for runtime enums that always target the latest available.

9.6.7.4.10.1.1.1.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > compatibleRuntimes > compatibleRuntimes items > name`


Type	`string`
Required	Yes

Description: The name of this runtime, as expected by the Lambda resource.

9.6.7.4.10.1.1.1.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > compatibleRuntimes > compatibleRuntimes items > supportsCodeGuruProfiling`


Type	`boolean`
Required	Yes

Description: Whether this runtime is integrated with and supported for profiling using Amazon CodeGuru Profiler.

9.6.7.4.10.1.1.1.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > compatibleRuntimes > compatibleRuntimes items > supportsInlineCode`


Type	`boolean`
Required	Yes

Description: Whether the ZipFile (aka inline code) property can be used with this runtime.

9.6.7.4.10.1.1.1.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > compatibleRuntimes > compatibleRuntimes items > supportsSnapStart`


Type	`boolean`
Required	Yes

Description: Whether this runtime supports snapstart.

9.6.7.4.10.1.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > env`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	env

Description: The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

9.6.7.4.10.1.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > layerVersionArn`


Type	`string`
Required	Yes

Description: The ARN of the Lambda Layer version that this Layer defines.

9.6.7.4.10.1.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > layerVersionRef`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/LayerVersionReference

Description: A reference to a LayerVersion resource.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ layerVersionArn	No	string	No	-	The LayerVersionArn of the LayerVersion resource.

9.6.7.4.10.1.4.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > layerVersionRef > layerVersionArn`


Type	`string`
Required	Yes

Description: The LayerVersionArn of the LayerVersion resource.

9.6.7.4.10.1.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.10.1.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _layers > _layers items > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this resource is defined.

9.6.7.4.11. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _logGroup`


Type	`object`
Required	No
Additional properties	Any type allowed

9.6.7.4.12. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _logRetention`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/LogRetention

Description: Creates a custom resource to control the retention policy of a CloudWatch Logs log group. The log group is created if it doesn't already exist. The policy is removed when retentionDays is undefined or equal to Infinity. Log group can be created in the region that is different from stack region by specifying logGroupRegion

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ ensureSingletonLogRetentionFunction	No	object	No	-	Helper method to ensure that only one instance of LogRetentionFunction resources are in the stack mimicking the behaviour of aws-cdk-lib/aws-lambda's SingletonFunction to prevent circular dependencies
+ logGroupArn	No	string	No	-	The ARN of the LogGroup.
+ node	No	object	No	Same as node	The tree node.

9.6.7.4.12.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _logRetention > ensureSingletonLogRetentionFunction`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Helper method to ensure that only one instance of LogRetentionFunction resources are in the stack mimicking the behaviour of aws-cdk-lib/aws-lambda's SingletonFunction to prevent circular dependencies

9.6.7.4.12.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _logRetention > logGroupArn`


Type	`string`
Required	Yes

Description: The ARN of the LogGroup.

9.6.7.4.12.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _logRetention > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.13. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _physicalName`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.14. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _policyCounter`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: The number of permissions added to this function

9.6.7.4.15. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _skipPermissions`


Type	`boolean`
Required	No

Description: Whether the user decides to skip adding permissions. The only use case is for cross-account, imported lambdas where the user commits to modifying the permisssions on the imported lambda outside CDK.

9.6.7.4.16. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > _warnIfCurrentVersionCalled`


Type	`boolean`
Required	Yes

Description: Flag to delay adding a warning message until current version is invoked.

9.6.7.4.17. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > architecture`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/Architecture

Description: The architecture of this Lambda Function (this is an optional attribute and defaults to X86_64).

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ dockerPlatform	No	string	No	-	The platform to use for this architecture when building with Docker.
+ name	No	string	No	-	The name of the architecture as recognized by the AWS Lambda service APIs.

9.6.7.4.17.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > architecture > dockerPlatform`


Type	`string`
Required	Yes

Description: The platform to use for this architecture when building with Docker.

9.6.7.4.17.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > architecture > name`


Type	`string`
Required	Yes

Description: The name of the architecture as recognized by the AWS Lambda service APIs.

9.6.7.4.18. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > buildDeadLetterConfig`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.19. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > buildDeadLetterQueue`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.20. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > buildTracingConfig`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.21. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > canCreatePermissions`


Type	`const`
Required	Yes
Default	`true`

Description: Whether the addPermission() call adds any permissions

True for new Lambdas, false for version $LATEST and imported Lambdas from different accounts.

Specific value: true

9.6.7.4.22. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > configureAdotInstrumentation`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Add an AWS Distro for OpenTelemetry Lambda layer.

9.6.7.4.23. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > configureLambdaInsights`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Configured lambda insights on the function if specified. This is achieved by adding an imported layer which is added to the list of lambda layers on synthesis.

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versions.html

9.6.7.4.24. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > configureParamsAndSecretsExtension`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Add a Parameters and Secrets Extension Lambda layer.

9.6.7.4.25. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > configureSnapStart`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.26. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > configureVpc`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: If configured, set up the VPC-related properties

Returns the VpcConfig that should be added to the Lambda creation properties.

9.6.7.4.27. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > connections`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	_connections

Description: Access the Connections object

Will fail if not a VPC-enabled Lambda Function

9.6.7.4.28. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/Version

Description: Returns a lambda.Version which represents the current version of this Lambda function. A new version will be created every time the function's configuration changes.

You can specify options for this version using the currentVersionOptions prop when initializing the lambda.Function.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ _allowCrossEnvironment	No	object	No	-	-
- _connections	No	object	No	Same as _connections	Actual connections object for this Lambda May be unset, in which case this Lambda is not configured use in a VPC.
+ _functionUrlInvocationGrants	No	object	No	Same as _functionUrlInvocationGrants	Mapping of function URL invocation principals to grants. Used to de-dupe `grantInvokeUrl()` calls.
+ _hasAddedArrayTokenStatements	No	object	No	-	Track whether we've added statements with array token resources to the role's default policy
+ _hasAddedLiteralStatements	No	object	No	-	Track whether we've added statements with literal resources to the role's default policy
+ _invocationGrants	No	object	No	Same as _functionUrlInvocationGrants	Mapping of invocation principals to grants. Used to de-dupe `grantInvoke()` calls.
- _latestVersion	No	object	No	-	-
+ _physicalName	No	object	No	-	-
+ _policyCounter	No	object	No	-	The number of permissions added to this function
- _skipPermissions	No	boolean	No	-	Whether the user decides to skip adding permissions. The only use case is for cross-account, imported lambdas where the user commits to modifying the permisssions on the imported lambda outside CDK.
+ _warnIfCurrentVersionCalled	No	boolean	No	-	Flag to delay adding a warning message until current version is invoked.
+ architecture	No	object	No	Same as architecture	The architecture of this Lambda Function.
+ canCreatePermissions	No	const	No	-	Whether the addPermission() call adds any permissions True for new Lambdas, false for version $LATEST and imported Lambdas from different accounts.
+ connections	No	object	No	Same as _connections	Access the Connections object Will fail if not a VPC-enabled Lambda Function
+ determineProvisionedConcurrency	No	object	No	-	Validate that the provisionedConcurrentExecutions makes sense Member must have value greater than or equal to 1
+ edgeArn	No	string	No	-	The ARN of the version for Lambda@Edge.
+ env	No	object	No	Same as env	The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
+ functionArn	No	string	No	-	The ARN fo the function.
+ functionName	No	string	No	-	The name of the function.
+ functionRef	No	object	No	In #/definitions/FunctionReference	A reference to a Function resource.
+ grant	No	object	No	-	-
+ grantPrincipal	No	object	No	In #/definitions/IPrincipal	The principal this Lambda Function is running as
+ isBoundToVpc	No	boolean	No	-	Whether or not this Lambda function was bound to a VPC If this is is `false`, trying to access the `connections` object will fail.
+ isPrincipalWithConditions	No	object	No	-	-
+ lambda	No	object	No	In #/definitions/IFunction	The underlying `IFunction`
+ latestVersion	No	object	No	Same as latestVersion	The `$LATEST` version of this function. Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations. To obtain a reference to an explicit version which references the current function configuration, use `lambdaFunction.currentVersion` instead.
+ node	No	object	No	Same as node	The tree node.
+ parsePermissionPrincipal	No	object	No	-	Translate IPrincipal to something we can pass to AWS::Lambda::Permissions Do some nasty things because `Permission` supports a subset of what the full IAM principal language supports, and we may not be able to parse strings outright because they may be tokens. Try to recognize some specific Principal classes first, then try a generic fallback.
+ permissionsNode	No	object	No	Same as node	The construct node where permissions are attached.
+ physicalName	No	string	No	-	Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource. This value will resolve to one of the following: - a concrete value (e.g. `"my-awesome-bucket"`) - `undefined`, when a name should be generated by CloudFormation - a concrete name generated automatically during synthesis, in cross-environment scenarios.
+ qualifier	No	string	No	-	The qualifier of the version or alias of this function. A qualifier is the identifier that's appended to a version or alias ARN.
+ resourceArnsForGrantInvoke	No	array of string	No	-	The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke()
- role	No	object	No	Same as role	The IAM role associated with this function. Undefined if the function was imported without a role.
+ stack	No	object	No	Same as stack	The stack in which this resource is defined.
+ statementHasArrayTokens	No	object	No	-	Check if a policy statement contains array tokens that would cause CloudFormation resolution conflicts when mixed with literal arrays in the same policy document. Array tokens are created by CloudFormation intrinsic functions that return arrays, such as Fn::Split, Fn::GetAZs, etc. These cannot be safely merged with literal resource arrays due to CloudFormation's token resolution limitations. Individual string tokens within literal arrays (e.g., `["arn:${token}:..."]`) are safe and do not cause conflicts, so they are not detected by this method.
+ validateConditionCombinations	No	object	No	-	-
+ validateConditions	No	object	No	-	-
+ version	No	string	No	-	The most recently deployed version of this function.
+ versionRef	No	object	No	Same as versionRef	A reference to a Version resource.

9.6.7.4.28.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > _allowCrossEnvironment`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.28.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > _connections`


Type	`object`
Required	No
Additional properties	Not allowed
Same definition as	_connections

Description: Actual connections object for this Lambda

May be unset, in which case this Lambda is not configured use in a VPC.

9.6.7.4.28.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > _functionUrlInvocationGrants`


Type	`object`
Required	Yes
Additional properties	Any type allowed
Same definition as	_functionUrlInvocationGrants

Description: Mapping of function URL invocation principals to grants. Used to de-dupe grantInvokeUrl() calls.

9.6.7.4.28.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > _hasAddedArrayTokenStatements`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Track whether we've added statements with array token resources to the role's default policy

9.6.7.4.28.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > _hasAddedLiteralStatements`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Track whether we've added statements with literal resources to the role's default policy

9.6.7.4.28.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > _invocationGrants`


Type	`object`
Required	Yes
Additional properties	Any type allowed
Same definition as	_functionUrlInvocationGrants

Description: Mapping of invocation principals to grants. Used to de-dupe grantInvoke() calls.

9.6.7.4.28.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > _latestVersion`


Type	`object`
Required	No
Additional properties	Any type allowed

9.6.7.4.28.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > _physicalName`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.28.9. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > _policyCounter`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: The number of permissions added to this function

9.6.7.4.28.10. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > _skipPermissions`


Type	`boolean`
Required	No

Description: Whether the user decides to skip adding permissions. The only use case is for cross-account, imported lambdas where the user commits to modifying the permisssions on the imported lambda outside CDK.

9.6.7.4.28.11. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > _warnIfCurrentVersionCalled`


Type	`boolean`
Required	Yes

Description: Flag to delay adding a warning message until current version is invoked.

9.6.7.4.28.12. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > architecture`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	architecture

Description: The architecture of this Lambda Function.

9.6.7.4.28.13. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > canCreatePermissions`


Type	`const`
Required	Yes
Default	`true`

Description: Whether the addPermission() call adds any permissions

True for new Lambdas, false for version $LATEST and imported Lambdas from different accounts.

Specific value: true

9.6.7.4.28.14. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > connections`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	_connections

Description: Access the Connections object

Will fail if not a VPC-enabled Lambda Function

9.6.7.4.28.15. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > determineProvisionedConcurrency`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Validate that the provisionedConcurrentExecutions makes sense

Member must have value greater than or equal to 1

9.6.7.4.28.16. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > edgeArn`


Type	`string`
Required	Yes

Description: The ARN of the version for Lambda@Edge.

9.6.7.4.28.17. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > env`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	env

Description: The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

9.6.7.4.28.18. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > functionArn`


Type	`string`
Required	Yes

Description: The ARN fo the function.

9.6.7.4.28.19. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > functionName`


Type	`string`
Required	Yes

Description: The name of the function.

9.6.7.4.28.20. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > functionRef`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/FunctionReference

Description: A reference to a Function resource.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ functionArn	No	string	No	-	The ARN of the Function resource.
+ functionName	No	string	No	-	The FunctionName of the Function resource.

9.6.7.4.28.20.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > functionRef > functionArn`


Type	`string`
Required	Yes

Description: The ARN of the Function resource.

9.6.7.4.28.20.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > functionRef > functionName`


Type	`string`
Required	Yes

Description: The FunctionName of the Function resource.

9.6.7.4.28.21. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > grant`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.28.22. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > grantPrincipal`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/IPrincipal

Description: The principal this Lambda Function is running as

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ assumeRoleAction	No	string	No	-	When this Principal is used in an AssumeRole policy, the action to use.
+ grantPrincipal	No	object	No	Same as grantPrincipal	The principal to grant permissions to
+ policyFragment	No	object	No	In #/definitions/PrincipalPolicyFragment	Return the policy fragment that identifies this principal in a Policy.
- principalAccount	No	string	No	-	The AWS account ID of this principal. Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.

9.6.7.4.28.22.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > grantPrincipal > assumeRoleAction`


Type	`string`
Required	Yes

Description: When this Principal is used in an AssumeRole policy, the action to use.

9.6.7.4.28.22.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > grantPrincipal > grantPrincipal`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	grantPrincipal

Description: The principal to grant permissions to

9.6.7.4.28.22.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > grantPrincipal > policyFragment`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/PrincipalPolicyFragment

Description: Return the policy fragment that identifies this principal in a Policy.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ conditions	No	object	No	In #/definitions/Conditions	The conditions under which the policy is in effect. See the IAM documentation.
+ principalJson	No	object	No	-	-

9.6.7.4.28.22.3.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > grantPrincipal > policyFragment > conditions`


Type	`object`
Required	Yes
Additional properties	Any type allowed
Defined in	#/definitions/Conditions

Description: The conditions under which the policy is in effect. See the IAM documentation.

9.6.7.4.28.22.3.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > grantPrincipal > policyFragment > principalJson`


Type	`object`
Required	Yes
Additional properties	Each additional property must conform to the schema

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	array of string	No	-	-

9.6.7.4.28.22.3.2.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > grantPrincipal > policyFragment > principalJson > additionalProperties`


Type	`array of string`
Required	No

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
additionalProperties items	-

9.6.7.4.28.22.3.2.1.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > grantPrincipal > policyFragment > principalJson > additionalProperties > additionalProperties items


Type	`string`
Required	No

9.6.7.4.28.22.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > grantPrincipal > principalAccount`


Type	`string`
Required	No

Description: The AWS account ID of this principal. Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.

9.6.7.4.28.23. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > isBoundToVpc`


Type	`boolean`
Required	Yes

Description: Whether or not this Lambda function was bound to a VPC

If this is is false, trying to access the connections object will fail.

9.6.7.4.28.24. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > isPrincipalWithConditions`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.28.25. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/IFunction

Description: The underlying IFunction

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ architecture	No	object	No	Same as architecture	The system architectures compatible with this lambda function.
+ connections	No	object	No	Same as _connections	The network connections associated with this resource.
+ env	No	object	No	Same as env	The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
+ functionArn	No	string	No	-	The ARN of the function.
+ functionName	No	string	No	-	The name of the function.
+ functionRef	No	object	No	Same as functionRef	A reference to a Function resource.
+ grantPrincipal	No	object	No	Same as grantPrincipal	The principal to grant permissions to
+ isBoundToVpc	No	boolean	No	-	Whether or not this Lambda function was bound to a VPC If this is is `false`, trying to access the `connections` object will fail.
+ latestVersion	No	object	No	In #/definitions/IVersion	The `$LATEST` version of this function. Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations. To obtain a reference to an explicit version which references the current function configuration, use `lambdaFunction.currentVersion` instead.
+ node	No	object	No	Same as node	The tree node.
+ permissionsNode	No	object	No	Same as node	The construct node where permissions are attached.
+ resourceArnsForGrantInvoke	No	array of string	No	-	The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke(). This property is for cdk modules to consume only. You should not need to use this property. Instead, use grantInvoke() directly.
- role	No	object	No	Same as role	The IAM role associated with this function.
+ stack	No	object	No	Same as stack	The stack in which this resource is defined.

9.6.7.4.28.25.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > architecture`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	architecture

Description: The system architectures compatible with this lambda function.

9.6.7.4.28.25.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > connections`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	_connections

Description: The network connections associated with this resource.

9.6.7.4.28.25.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > env`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	env

Description: The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

9.6.7.4.28.25.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > functionArn`


Type	`string`
Required	Yes

Description: The ARN of the function.

9.6.7.4.28.25.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > functionName`


Type	`string`
Required	Yes

Description: The name of the function.

9.6.7.4.28.25.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > functionRef`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	functionRef

Description: A reference to a Function resource.

9.6.7.4.28.25.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > grantPrincipal`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	grantPrincipal

Description: The principal to grant permissions to

9.6.7.4.28.25.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > isBoundToVpc`


Type	`boolean`
Required	Yes

Description: Whether or not this Lambda function was bound to a VPC

If this is is false, trying to access the connections object will fail.

9.6.7.4.28.25.9. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/IVersion

Description: The $LATEST version of this function.

Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations.

To obtain a reference to an explicit version which references the current function configuration, use lambdaFunction.currentVersion instead.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ architecture	No	object	No	Same as architecture	The system architectures compatible with this lambda function.
+ connections	No	object	No	Same as _connections	The network connections associated with this resource.
+ edgeArn	No	string	No	-	The ARN of the version for Lambda@Edge.
+ env	No	object	No	Same as env	The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
+ functionArn	No	string	No	-	The ARN of the function.
+ functionName	No	string	No	-	The name of the function.
+ functionRef	No	object	No	Same as functionRef	A reference to a Function resource.
+ grantPrincipal	No	object	No	Same as grantPrincipal	The principal to grant permissions to
+ isBoundToVpc	No	boolean	No	-	Whether or not this Lambda function was bound to a VPC If this is is `false`, trying to access the `connections` object will fail.
+ lambda	No	object	No	Same as lambda	The underlying AWS Lambda function.
+ latestVersion	No	object	No	Same as latestVersion	The `$LATEST` version of this function. Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations. To obtain a reference to an explicit version which references the current function configuration, use `lambdaFunction.currentVersion` instead.
+ node	No	object	No	Same as node	The tree node.
+ permissionsNode	No	object	No	Same as node	The construct node where permissions are attached.
+ resourceArnsForGrantInvoke	No	array of string	No	-	The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke(). This property is for cdk modules to consume only. You should not need to use this property. Instead, use grantInvoke() directly.
- role	No	object	No	In #/definitions/IRole	The IAM role associated with this function.
+ stack	No	object	No	Same as stack	The stack in which this resource is defined.
+ version	No	string	No	-	The most recently deployed version of this function.
+ versionRef	No	object	No	In #/definitions/VersionReference	A reference to a Version resource.

9.6.7.4.28.25.9.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > architecture`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	architecture

Description: The system architectures compatible with this lambda function.

9.6.7.4.28.25.9.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > connections`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	_connections

Description: The network connections associated with this resource.

9.6.7.4.28.25.9.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > edgeArn`


Type	`string`
Required	Yes

Description: The ARN of the version for Lambda@Edge.

9.6.7.4.28.25.9.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > env`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	env

Description: The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

9.6.7.4.28.25.9.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > functionArn`


Type	`string`
Required	Yes

Description: The ARN of the function.

9.6.7.4.28.25.9.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > functionName`


Type	`string`
Required	Yes

Description: The name of the function.

9.6.7.4.28.25.9.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > functionRef`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	functionRef

Description: A reference to a Function resource.

9.6.7.4.28.25.9.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > grantPrincipal`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	grantPrincipal

Description: The principal to grant permissions to

9.6.7.4.28.25.9.9. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > isBoundToVpc`


Type	`boolean`
Required	Yes

Description: Whether or not this Lambda function was bound to a VPC

If this is is false, trying to access the connections object will fail.

9.6.7.4.28.25.9.10. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > lambda`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	lambda

Description: The underlying AWS Lambda function.

9.6.7.4.28.25.9.11. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > latestVersion`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	latestVersion

Description: The $LATEST version of this function.

Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations.

To obtain a reference to an explicit version which references the current function configuration, use lambdaFunction.currentVersion instead.

9.6.7.4.28.25.9.12. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.28.25.9.13. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > permissionsNode`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The construct node where permissions are attached.

9.6.7.4.28.25.9.14. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > resourceArnsForGrantInvoke`


Type	`array of string`
Required	Yes

Description: The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke().

This property is for cdk modules to consume only. You should not need to use this property. Instead, use grantInvoke() directly.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
resourceArnsForGrantInvoke items	-

9.6.7.4.28.25.9.14.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > resourceArnsForGrantInvoke > resourceArnsForGrantInvoke items


Type	`string`
Required	No

9.6.7.4.28.25.9.15. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > role`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/IRole

Description: The IAM role associated with this function.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ assumeRoleAction	No	string	No	-	When this Principal is used in an AssumeRole policy, the action to use.
+ env	No	object	No	Same as env	The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
+ grantPrincipal	No	object	No	Same as grantPrincipal	The principal to grant permissions to
+ node	No	object	No	Same as node	The tree node.
+ policyFragment	No	object	No	Same as policyFragment	Return the policy fragment that identifies this principal in a Policy.
- principalAccount	No	string	No	-	The AWS account ID of this principal. Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.
+ roleArn	No	string	No	-	Returns the ARN of this role.
+ roleName	No	string	No	-	Returns the name of this role.
+ roleRef	No	object	No	In #/definitions/RoleReference	A reference to a Role resource.
+ stack	No	object	No	Same as stack	The stack in which this resource is defined.

9.6.7.4.28.25.9.15.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > role > assumeRoleAction`


Type	`string`
Required	Yes

Description: When this Principal is used in an AssumeRole policy, the action to use.

9.6.7.4.28.25.9.15.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > role > env`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	env

Description: The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

9.6.7.4.28.25.9.15.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > role > grantPrincipal`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	grantPrincipal

Description: The principal to grant permissions to

9.6.7.4.28.25.9.15.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > role > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.28.25.9.15.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > role > policyFragment`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	policyFragment

Description: Return the policy fragment that identifies this principal in a Policy.

9.6.7.4.28.25.9.15.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > role > principalAccount`


Type	`string`
Required	No

Description: The AWS account ID of this principal. Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.

9.6.7.4.28.25.9.15.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > role > roleArn`


Type	`string`
Required	Yes

Description: Returns the ARN of this role.

9.6.7.4.28.25.9.15.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > role > roleName`


Type	`string`
Required	Yes

Description: Returns the name of this role.

9.6.7.4.28.25.9.15.9. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > role > roleRef`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/RoleReference

Description: A reference to a Role resource.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ roleArn	No	string	No	-	The ARN of the Role resource.
+ roleName	No	string	No	-	The RoleName of the Role resource.

9.6.7.4.28.25.9.15.9.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > role > roleRef > roleArn`


Type	`string`
Required	Yes

Description: The ARN of the Role resource.

9.6.7.4.28.25.9.15.9.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > role > roleRef > roleName`


Type	`string`
Required	Yes

Description: The RoleName of the Role resource.

9.6.7.4.28.25.9.15.10. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > role > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this resource is defined.

9.6.7.4.28.25.9.16. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this resource is defined.

9.6.7.4.28.25.9.17. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > version`


Type	`string`
Required	Yes

Description: The most recently deployed version of this function.

9.6.7.4.28.25.9.18. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > versionRef`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/VersionReference

Description: A reference to a Version resource.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ functionArn	No	string	No	-	The FunctionArn of the Version resource.

9.6.7.4.28.25.9.18.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > latestVersion > versionRef > functionArn`


Type	`string`
Required	Yes

Description: The FunctionArn of the Version resource.

9.6.7.4.28.25.10. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.28.25.11. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > permissionsNode`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The construct node where permissions are attached.

9.6.7.4.28.25.12. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > resourceArnsForGrantInvoke`


Type	`array of string`
Required	Yes

Description: The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke().

This property is for cdk modules to consume only. You should not need to use this property. Instead, use grantInvoke() directly.

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
resourceArnsForGrantInvoke items	-

9.6.7.4.28.25.12.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > resourceArnsForGrantInvoke > resourceArnsForGrantInvoke items


Type	`string`
Required	No

9.6.7.4.28.25.13. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > role`


Type	`object`
Required	No
Additional properties	Not allowed
Same definition as	role

Description: The IAM role associated with this function.

9.6.7.4.28.25.14. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > lambda > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this resource is defined.

9.6.7.4.28.26. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > latestVersion`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	latestVersion

Description: The $LATEST version of this function.

Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations.

To obtain a reference to an explicit version which references the current function configuration, use lambdaFunction.currentVersion instead.

9.6.7.4.28.27. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.28.28. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > parsePermissionPrincipal`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Translate IPrincipal to something we can pass to AWS::Lambda::Permissions

Do some nasty things because Permission supports a subset of what the full IAM principal language supports, and we may not be able to parse strings outright because they may be tokens.

Try to recognize some specific Principal classes first, then try a generic fallback.

9.6.7.4.28.29. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > permissionsNode`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The construct node where permissions are attached.

9.6.7.4.28.30. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > physicalName`


Type	`string`
Required	Yes

Description: Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.

This value will resolve to one of the following: - a concrete value (e.g. "my-awesome-bucket") - undefined, when a name should be generated by CloudFormation - a concrete name generated automatically during synthesis, in cross-environment scenarios.

9.6.7.4.28.31. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > qualifier`


Type	`string`
Required	Yes

Description: The qualifier of the version or alias of this function. A qualifier is the identifier that's appended to a version or alias ARN.

9.6.7.4.28.32. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > resourceArnsForGrantInvoke`


Type	`array of string`
Required	Yes

Description: The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke()

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
resourceArnsForGrantInvoke items	-

9.6.7.4.28.32.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > resourceArnsForGrantInvoke > resourceArnsForGrantInvoke items


Type	`string`
Required	No

9.6.7.4.28.33. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > role`


Type	`object`
Required	No
Additional properties	Not allowed
Same definition as	role

Description: The IAM role associated with this function.

Undefined if the function was imported without a role.

9.6.7.4.28.34. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this resource is defined.

9.6.7.4.28.35. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > statementHasArrayTokens`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Check if a policy statement contains array tokens that would cause CloudFormation resolution conflicts when mixed with literal arrays in the same policy document.

Array tokens are created by CloudFormation intrinsic functions that return arrays, such as Fn::Split, Fn::GetAZs, etc. These cannot be safely merged with literal resource arrays due to CloudFormation's token resolution limitations.

Individual string tokens within literal arrays (e.g., ["arn:${token}:..."]) are safe and do not cause conflicts, so they are not detected by this method.

9.6.7.4.28.36. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > validateConditionCombinations`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.28.37. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > validateConditions`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.28.38. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > version`


Type	`string`
Required	Yes

Description: The most recently deployed version of this function.

9.6.7.4.28.39. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersion > versionRef`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	versionRef

Description: A reference to a Version resource.

9.6.7.4.29. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > currentVersionOptions`


Type	`object`
Required	No
Additional properties	Any type allowed

9.6.7.4.30. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/IQueue

Description: The DLQ (as queue) associated with this Lambda Function (this is an optional attribute).

Property	Pattern	Type	Deprecated	Definition	Title/Description
- encryptionMasterKey	No	object	No	In #/definitions/IKey	If this queue is server-side encrypted, this is the KMS encryption key.
- encryptionType	No	enum (of string)	No	-	Whether the contents of the queue are encrypted, and by what type of key.
+ env	No	object	No	Same as env	The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
+ fifo	No	boolean	No	-	Whether this queue is an Amazon SQS FIFO queue. If false, this is a standard queue.
+ node	No	object	No	Same as node	The tree node.
+ queueArn	No	string	No	-	The ARN of this queue
+ queueName	No	string	No	-	The name of this queue
+ queueUrl	No	string	No	-	The URL of this queue
+ stack	No	object	No	Same as stack	The stack in which this resource is defined.

9.6.7.4.30.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/IKey

Description: If this queue is server-side encrypted, this is the KMS encryption key.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ env	No	object	No	Same as env	The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
+ keyArn	No	string	No	-	The ARN of the key.
+ keyId	No	string	No	-	The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).
+ keyRef	No	object	No	In #/definitions/KeyReference	A reference to a Key resource.
+ node	No	object	No	Same as node	The tree node.
+ stack	No	object	No	Same as stack	The stack in which this resource is defined.

9.6.7.4.30.1.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > env`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	env

Description: The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

9.6.7.4.30.1.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > keyArn`


Type	`string`
Required	Yes

Description: The ARN of the key.

9.6.7.4.30.1.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > keyId`


Type	`string`
Required	Yes

Description: The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).

9.6.7.4.30.1.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > keyRef`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/KeyReference

Description: A reference to a Key resource.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ keyArn	No	string	No	-	The ARN of the Key resource.
+ keyId	No	string	No	-	The KeyId of the Key resource.

9.6.7.4.30.1.4.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > keyRef > keyArn`


Type	`string`
Required	Yes

Description: The ARN of the Key resource.

9.6.7.4.30.1.4.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > keyRef > keyId`


Type	`string`
Required	Yes

Description: The KeyId of the Key resource.

9.6.7.4.30.1.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.30.1.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this resource is defined.

9.6.7.4.30.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionType`


Type	`enum (of string)`
Required	No

Description: Whether the contents of the queue are encrypted, and by what type of key.

Must be one of: * "KMS" * "KMS_MANAGED" * "NONE" * "SQS_MANAGED"

9.6.7.4.30.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > env`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	env

Description: The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

9.6.7.4.30.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > fifo`


Type	`boolean`
Required	Yes

Description: Whether this queue is an Amazon SQS FIFO queue. If false, this is a standard queue.

9.6.7.4.30.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.30.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > queueArn`


Type	`string`
Required	Yes

Description: The ARN of this queue

9.6.7.4.30.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > queueName`


Type	`string`
Required	Yes

Description: The name of this queue

9.6.7.4.30.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > queueUrl`


Type	`string`
Required	Yes

Description: The URL of this queue

9.6.7.4.30.9. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this resource is defined.

9.6.7.4.31. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterTopic`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/ITopic

Description: The DLQ (as topic) associated with this Lambda Function (this is an optional attribute).

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ contentBasedDeduplication	No	boolean	No	-	Enables content-based deduplication for FIFO topics.
+ env	No	object	No	Same as env	The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
+ fifo	No	boolean	No	-	Whether this topic is an Amazon SNS FIFO queue. If false, this is a standard topic.
- masterKey	No	object	No	In #/definitions/IKey	A KMS Key, either managed by this CDK app, or imported. This property applies only to server-side encryption.
+ node	No	object	No	Same as node	The tree node.
+ stack	No	object	No	Same as stack	The stack in which this resource is defined.
+ topicArn	No	string	No	-	The ARN of the topic
+ topicName	No	string	No	-	The name of the topic

9.6.7.4.31.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterTopic > contentBasedDeduplication`


Type	`boolean`
Required	Yes

Description: Enables content-based deduplication for FIFO topics.

9.6.7.4.31.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterTopic > env`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	env

Description: The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

9.6.7.4.31.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterTopic > fifo`


Type	`boolean`
Required	Yes

Description: Whether this topic is an Amazon SNS FIFO queue. If false, this is a standard topic.

9.6.7.4.31.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterTopic > masterKey`


Type	`object`
Required	No
Additional properties	Not allowed
Default	`"None"`
Defined in	#/definitions/IKey

Description: A KMS Key, either managed by this CDK app, or imported.

This property applies only to server-side encryption.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ env	No	object	No	Same as env	The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
+ keyArn	No	string	No	-	The ARN of the key.
+ keyId	No	string	No	-	The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).
+ keyRef	No	object	No	In #/definitions/KeyReference	A reference to a Key resource.
+ node	No	object	No	Same as node	The tree node.
+ stack	No	object	No	Same as stack	The stack in which this resource is defined.

9.6.7.4.31.4.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > env`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	env

Description: The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

9.6.7.4.31.4.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > keyArn`


Type	`string`
Required	Yes

Description: The ARN of the key.

9.6.7.4.31.4.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > keyId`


Type	`string`
Required	Yes

Description: The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).

9.6.7.4.31.4.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > keyRef`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/KeyReference

Description: A reference to a Key resource.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ keyArn	No	string	No	-	The ARN of the Key resource.
+ keyId	No	string	No	-	The KeyId of the Key resource.

9.6.7.4.31.4.4.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > keyRef > keyArn`


Type	`string`
Required	Yes

Description: The ARN of the Key resource.

9.6.7.4.31.4.4.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > keyRef > keyId`


Type	`string`
Required	Yes

Description: The KeyId of the Key resource.

9.6.7.4.31.4.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.31.4.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterQueue > encryptionMasterKey > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this resource is defined.

9.6.7.4.31.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterTopic > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.31.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterTopic > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this resource is defined.

9.6.7.4.31.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterTopic > topicArn`


Type	`string`
Required	Yes

Description: The ARN of the topic

9.6.7.4.31.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > deadLetterTopic > topicName`


Type	`string`
Required	Yes

Description: The name of the topic

9.6.7.4.32. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > env`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	env

Description: The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

9.6.7.4.33. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > environment`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Environment variables for this function

9.6.7.4.34. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > functionArn`


Type	`string`
Required	Yes

Description: ARN of this function

9.6.7.4.35. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > functionName`


Type	`string`
Required	Yes

Description: Name of this function

9.6.7.4.36. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > functionRef`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	functionRef

Description: A reference to a Function resource.

9.6.7.4.37. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > getLoggingConfig`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Get Logging Config property for the function. This method returns the function LoggingConfig Property if the property is set on the function and undefined if not.

9.6.7.4.38. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > grant`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.39. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > grantPrincipal`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	grantPrincipal

Description: The principal this Lambda Function is running as

9.6.7.4.40. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > hashMixins`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.41. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > isBoundToVpc`


Type	`boolean`
Required	Yes

Description: Whether or not this Lambda function was bound to a VPC

If this is is false, trying to access the connections object will fail.

9.6.7.4.42. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > isPrincipalWithConditions`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.43. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > isQueue`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.44. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > latestVersion`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	latestVersion

Description: The $LATEST version of this function.

Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations.

To obtain a reference to an explicit version which references the current function configuration, use lambdaFunction.currentVersion instead.

9.6.7.4.45. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > logGroup`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/ILogGroup

Description: The LogGroup where the Lambda function's logs are made available.

If either logRetention is set or this property is called, a CloudFormation custom resource is added to the stack that pre-creates the log group as part of the stack deployment, if it already doesn't exist, and sets the correct log retention period (never expire, by default).

Further, if the log group already exists and the logRetention is not set, the custom resource will reset the log retention to never expire even if it was configured with a different value.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ env	No	object	No	Same as env	The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
+ logGroupArn	No	string	No	-	The ARN of this log group, with ':*' appended
+ logGroupName	No	string	No	-	The name of this log group
+ node	No	object	No	Same as node	The tree node.
+ stack	No	object	No	Same as stack	The stack in which this resource is defined.

9.6.7.4.45.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > logGroup > env`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	env

Description: The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

9.6.7.4.45.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > logGroup > logGroupArn`


Type	`string`
Required	Yes

Description: The ARN of this log group, with ':*' appended

9.6.7.4.45.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > logGroup > logGroupName`


Type	`string`
Required	Yes

Description: The name of this log group

9.6.7.4.45.4. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > logGroup > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.45.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > logGroup > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this resource is defined.

9.6.7.4.46. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.4.47. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > parsePermissionPrincipal`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Translate IPrincipal to something we can pass to AWS::Lambda::Permissions

Do some nasty things because Permission supports a subset of what the full IAM principal language supports, and we may not be able to parse strings outright because they may be tokens.

Try to recognize some specific Principal classes first, then try a generic fallback.

9.6.7.4.48. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > permissionsNode`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The construct node where permissions are attached.

9.6.7.4.49. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > physicalName`


Type	`string`
Required	Yes

Description: Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.

This value will resolve to one of the following: - a concrete value (e.g. "my-awesome-bucket") - undefined, when a name should be generated by CloudFormation - a concrete name generated automatically during synthesis, in cross-environment scenarios.

9.6.7.4.50. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > renderEnvironment`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.51. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > renderLayers`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.52. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > resourceArnsForGrantInvoke`


Type	`array of string`
Required	Yes

Description: The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke()

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
resourceArnsForGrantInvoke items	-

9.6.7.4.52.1. root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > resourceArnsForGrantInvoke > resourceArnsForGrantInvoke items


Type	`string`
Required	No

9.6.7.4.53. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > role`


Type	`object`
Required	No
Additional properties	Not allowed
Same definition as	role

Description: Execution role associated with this function

9.6.7.4.54. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > runtime`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	sagemakerBlueprint_domainConfig_domainConfigCr_handlerFunction__layers_items_compatibleRuntimes_items

Description: The runtime configured for this lambda.

9.6.7.4.55. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this resource is defined.

9.6.7.4.56. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > statementHasArrayTokens`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Check if a policy statement contains array tokens that would cause CloudFormation resolution conflicts when mixed with literal arrays in the same policy document.

Array tokens are created by CloudFormation intrinsic functions that return arrays, such as Fn::Split, Fn::GetAZs, etc. These cannot be safely merged with literal resource arrays due to CloudFormation's token resolution limitations.

Individual string tokens within literal arrays (e.g., ["arn:${token}:..."]) are safe and do not cause conflicts, so they are not detected by this method.

9.6.7.4.57. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > timeout`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/Duration

Description: The timeout configured for this lambda.

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ amount	No	object	No	-	-
+ components	No	object	No	-	Return the duration in a set of whole numbered time components, ordered from largest to smallest Only components != 0 will be returned. Can combine millis and seconds together for the benefit of toIsoString, makes the logic in there simpler.
+ unit	No	object	No	-	-

9.6.7.4.57.1. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > timeout > amount`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.57.2. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > timeout > components`


Type	`object`
Required	Yes
Additional properties	Any type allowed

Description: Return the duration in a set of whole numbered time components, ordered from largest to smallest

Only components != 0 will be returned.

Can combine millis and seconds together for the benefit of toIsoString, makes the logic in there simpler.

9.6.7.4.57.3. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > timeout > unit`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.58. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > validateConditionCombinations`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.59. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > validateConditions`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.4.60. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > handlerFunction > validateProfiling`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.5. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.7.6. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > physicalName`


Type	`string`
Required	Yes

Description: Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.

This value will resolve to one of the following: - a concrete value (e.g. "my-awesome-bucket") - undefined, when a name should be generated by CloudFormation - a concrete name generated automatically during synthesis, in cross-environment scenarios.

9.6.7.7. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > ref`


Type	`string`
Required	Yes

Description: The physical name of this custom resource.

9.6.7.8. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > resource`


Type	`object`
Required	Yes
Additional properties	Any type allowed

9.6.7.9. Property `root > sagemakerBlueprint > domainConfig > domainConfigCr > stack`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	stack

Description: The stack in which this resource is defined.

9.6.8. Property `root > sagemakerBlueprint > domainConfig > domainId`


Type	`string`
Required	Yes

9.6.9. Property `root > sagemakerBlueprint > domainConfig > domainKmsKeyArn`


Type	`string`
Required	Yes

9.6.10. Property `root > sagemakerBlueprint > domainConfig > domainKmsUsagePolicyName`


Type	`string`
Required	Yes

9.6.11. Property `root > sagemakerBlueprint > domainConfig > domainName`


Type	`string`
Required	Yes

9.6.12. Property `root > sagemakerBlueprint > domainConfig > domainUnitIds`


Type	`object`
Required	Yes
Additional properties	Each additional property must conform to the schema

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	string	No	-	-

9.6.12.1. Property `root > sagemakerBlueprint > domainConfig > domainUnitIds > additionalProperties`


Type	`string`
Required	No

9.6.13. Property `root > sagemakerBlueprint > domainConfig > domainVersion`


Type	`string`
Required	Yes

9.6.14. Property `root > sagemakerBlueprint > domainConfig > glueCatalogArns`


Type	`array of string`
Required	Yes

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
glueCatalogArns items	-

9.6.14.1. root > sagemakerBlueprint > domainConfig > glueCatalogArns > glueCatalogArns items


Type	`string`
Required	No

9.6.15. Property `root > sagemakerBlueprint > domainConfig > glueCatalogKmsKeyArns`


Type	`array of string`
Required	Yes

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
glueCatalogKmsKeyArns items	-

9.6.15.1. root > sagemakerBlueprint > domainConfig > glueCatalogKmsKeyArns > glueCatalogKmsKeyArns items


Type	`string`
Required	No

9.6.16. Property `root > sagemakerBlueprint > domainConfig > node`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: The tree node.

9.6.17. Property `root > sagemakerBlueprint > domainConfig > projectIds`


Type	`object`
Required	Yes
Additional properties	Each additional property must conform to the schema

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	string	No	-	-

9.6.17.1. Property `root > sagemakerBlueprint > domainConfig > projectIds > additionalProperties`


Type	`string`
Required	No

9.6.18. Property `root > sagemakerBlueprint > domainConfig > props`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/DomainConfigProps

Property	Pattern	Type	Deprecated	Definition	Title/Description
- blueprintIds	No	object	No	-	-
- createConfigParams	No	boolean	No	-	-
- createOutputs	No	boolean	No	-	Flag controlling CloudFormation output and stack export creation for construct resources
- createParams	No	boolean	No	-	Flag controlling SSM parameter creation for construct resource references enabling
- customResourceRoleName	No	string	No	-	-
- domainArn	No	string	No	-	DataZone domain ARN for AWS resource identification and IAM policy integration enabling
- domainBucketArn	No	string	No	-	-
- domainBucketUsagePolicyName	No	string	No	-	Domain Bucket usage policy name
- domainId	No	string	No	-	DataZone domain ID for unique domain identification within AWS enabling cross-service
- domainKmsKeyArn	No	string	No	-	KMS key ARN for domain encryption ensuring data protection compliance and secure domain operations
- domainKmsUsagePolicyName	No	string	No	-	Domain KMS usage policy name for key access management enabling controlled encryption key
- domainName	No	string	No	-	DataZone domain name for domain identification and management enabling unique domain naming
- domainUnitIds	No	object	No	-	Map of domain unit names to identifiers for hierarchical domain organization enabling
- domainVersion	No	string	No	-	Domain version for domain lifecycle management and versioning control enabling domain evolution tracking
- glueCatalogArns	No	array of string	No	-	Array of Glue catalog ARNs for catalog integration enabling data catalog connectivity with DataZone
- glueCatalogKmsKeyArns	No	array of string	No	-	Array of Glue catalog KMS key ARNs for catalog encryption enabling secure catalog integration with DataZone
+ naming	No	object	No	In #/definitions/IMdaaResourceNaming	MDAA naming implementation for consistent resource naming across all MDAA constructs
- projectIds	No	object	No	-	-
- refresh	No	boolean	No	-	-
+ ssmParamBase	No	string	No	-	SSM parameter base path for domain configuration storage enabling centralized configuration management

9.6.18.1. Property `root > sagemakerBlueprint > domainConfig > props > blueprintIds`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	string	No	-	-

9.6.18.1.1. Property `root > sagemakerBlueprint > domainConfig > props > blueprintIds > additionalProperties`


Type	`string`
Required	No

9.6.18.2. Property `root > sagemakerBlueprint > domainConfig > props > createConfigParams`


Type	`boolean`
Required	No

9.6.18.3. Property `root > sagemakerBlueprint > domainConfig > props > createOutputs`


Type	`boolean`
Required	No

Description: Flag controlling CloudFormation output and stack export creation for construct resources

9.6.18.4. Property `root > sagemakerBlueprint > domainConfig > props > createParams`


Type	`boolean`
Required	No

Description: Flag controlling SSM parameter creation for construct resource references enabling

9.6.18.5. Property `root > sagemakerBlueprint > domainConfig > props > customResourceRoleName`


Type	`string`
Required	No

9.6.18.6. Property `root > sagemakerBlueprint > domainConfig > props > domainArn`


Type	`string`
Required	No

Description: DataZone domain ARN for AWS resource identification and IAM policy integration enabling

9.6.18.7. Property `root > sagemakerBlueprint > domainConfig > props > domainBucketArn`


Type	`string`
Required	No

9.6.18.8. Property `root > sagemakerBlueprint > domainConfig > props > domainBucketUsagePolicyName`


Type	`string`
Required	No

Description: Domain Bucket usage policy name

9.6.18.9. Property `root > sagemakerBlueprint > domainConfig > props > domainId`


Type	`string`
Required	No

Description: DataZone domain ID for unique domain identification within AWS enabling cross-service

9.6.18.10. Property `root > sagemakerBlueprint > domainConfig > props > domainKmsKeyArn`


Type	`string`
Required	No

Description: KMS key ARN for domain encryption ensuring data protection compliance and secure domain operations

9.6.18.11. Property `root > sagemakerBlueprint > domainConfig > props > domainKmsUsagePolicyName`


Type	`string`
Required	No

Description: Domain KMS usage policy name for key access management enabling controlled encryption key

9.6.18.12. Property `root > sagemakerBlueprint > domainConfig > props > domainName`


Type	`string`
Required	No

Description: DataZone domain name for domain identification and management enabling unique domain naming

9.6.18.13. Property `root > sagemakerBlueprint > domainConfig > props > domainUnitIds`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Description: Map of domain unit names to identifiers for hierarchical domain organization enabling

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	string	No	-	-

9.6.18.13.1. Property `root > sagemakerBlueprint > domainConfig > props > domainUnitIds > additionalProperties`


Type	`string`
Required	No

9.6.18.14. Property `root > sagemakerBlueprint > domainConfig > props > domainVersion`


Type	`string`
Required	No

Description: Domain version for domain lifecycle management and versioning control enabling domain evolution tracking

9.6.18.15. Property `root > sagemakerBlueprint > domainConfig > props > glueCatalogArns`


Type	`array of string`
Required	No

Description: Array of Glue catalog ARNs for catalog integration enabling data catalog connectivity with DataZone

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
glueCatalogArns items	-

9.6.18.15.1. root > sagemakerBlueprint > domainConfig > props > glueCatalogArns > glueCatalogArns items


Type	`string`
Required	No

9.6.18.16. Property `root > sagemakerBlueprint > domainConfig > props > glueCatalogKmsKeyArns`


Type	`array of string`
Required	No

Description: Array of Glue catalog KMS key ARNs for catalog encryption enabling secure catalog integration with DataZone

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
glueCatalogKmsKeyArns items	-

9.6.18.16.1. root > sagemakerBlueprint > domainConfig > props > glueCatalogKmsKeyArns > glueCatalogKmsKeyArns items


Type	`string`
Required	No

9.6.18.17. Property `root > sagemakerBlueprint > domainConfig > props > naming`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/IMdaaResourceNaming

Description: MDAA naming implementation for consistent resource naming across all MDAA constructs

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ props	No	object	No	In #/definitions/MdaaResourceNamingConfig	Configuration properties containing organizational context and CDK node access for the naming implementation

9.6.18.17.1. Property `root > sagemakerBlueprint > domainConfig > props > naming > props`


Type	`object`
Required	Yes
Additional properties	Not allowed
Defined in	#/definitions/MdaaResourceNamingConfig

Description: Configuration properties containing organizational context and CDK node access for the naming implementation

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ cdkNode	No	object	No	Same as node	CDK construct node providing access to context values for custom naming implementations
+ domain	No	string	No	-	Domain identifier from MDAA configuration representing logical business or organizational boundaries
+ env	No	string	No	-	Environment identifier from MDAA configuration that distinguishes deployment stages within the same domain
+ moduleName	No	string	No	-	Module name from MDAA configuration identifying the specific MDAA module deployment within a domain/environment
+ org	No	string	No	-	Organization identifier from MDAA configuration that serves as the top-level namespace for all AWS resource names

9.6.18.17.1.1. Property `root > sagemakerBlueprint > domainConfig > props > naming > props > cdkNode`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	node

Description: CDK construct node providing access to context values for custom naming implementations

9.6.18.17.1.2. Property `root > sagemakerBlueprint > domainConfig > props > naming > props > domain`


Type	`string`
Required	Yes

Description: Domain identifier from MDAA configuration representing logical business or organizational boundaries

9.6.18.17.1.3. Property `root > sagemakerBlueprint > domainConfig > props > naming > props > env`


Type	`string`
Required	Yes

Description: Environment identifier from MDAA configuration that distinguishes deployment stages within the same domain

9.6.18.17.1.4. Property `root > sagemakerBlueprint > domainConfig > props > naming > props > moduleName`


Type	`string`
Required	Yes

Description: Module name from MDAA configuration identifying the specific MDAA module deployment within a domain/environment

9.6.18.17.1.5. Property `root > sagemakerBlueprint > domainConfig > props > naming > props > org`


Type	`string`
Required	Yes

Description: Organization identifier from MDAA configuration that serves as the top-level namespace for all AWS resource names

9.6.18.18. Property `root > sagemakerBlueprint > domainConfig > props > projectIds`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	string	No	-	-

9.6.18.18.1. Property `root > sagemakerBlueprint > domainConfig > props > projectIds > additionalProperties`


Type	`string`
Required	No

9.6.18.19. Property `root > sagemakerBlueprint > domainConfig > props > refresh`


Type	`boolean`
Required	No

9.6.18.20. Property `root > sagemakerBlueprint > domainConfig > props > ssmParamBase`


Type	`string`
Required	Yes

Description: SSM parameter base path for domain configuration storage enabling centralized configuration management

9.6.19. Property `root > sagemakerBlueprint > domainConfig > ssmParamBase`


Type	`string`
Required	Yes

9.7. Property `root > sagemakerBlueprint > domainConfigSSMParam`


Type	`string`
Required	No

Description: Q-ENHANCED-PROPERTY Optional SSM parameter reference for domain configuration enabling dynamic domain configuration management. Specifies the SSM parameter containing domain configuration data for flexible domain setup and configuration management.

Use cases: Dynamic configuration; SSM parameter reference; Configuration management; Flexible setup

AWS: AWS Systems Manager parameter for DataZone domain configuration reference

Validation: Must be valid SSM parameter name if provided; parameter must contain valid domain configuration

9.8. Property `root > sagemakerBlueprint > enabledRegions`


Type	`array of string`
Required	No

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
enabledRegions items	-

9.8.1. root > sagemakerBlueprint > enabledRegions > enabledRegions items


Type	`string`
Required	No

9.9. Property `root > sagemakerBlueprint > parameters`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Description: Q-ENHANCED-PROPERTY Optional object containing named parameter configurations for the SageMaker blueprint. Enables parameterized blueprint deployment with validation rules and user input constraints.

Use cases: Product parameterization; User input collection; Deployment customization

AWS: AWS SageMaker blueprint parameters for user-configurable deployment options

Validation: Must be object with string keys and valid MdaaServiceCatalogParameterConfig values if provided *

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	Same as sagemakerBlueprint_additionalAccounts_additionalProperties_parameters_additionalProperties	-

9.9.1. Property `root > sagemakerBlueprint > parameters > MdaaSageMakerBluePrintParameterConfig`


Type	`object`
Required	No
Additional properties	Not allowed
Same definition as	sagemakerBlueprint_additionalAccounts_additionalProperties_parameters_additionalProperties

9.10. Property `root > sagemakerBlueprint > provisioningRole`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	provisioningRole

10. Property `root > securityConfigurationName`


Type	`string`
Required	No

Description: Glue security configuration name for job encryption (at rest, in transit, CloudWatch logs). Auto-resolved from project when projectName is set.

Use cases: Job encryption; Security compliance

AWS: Glue security configuration

Validation: Optional; auto-wired from project if projectName provided

11. Property `root > service_catalog_product_config`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MdaaServiceCatalogProductConfig

Description: Q-ENHANCED-PROPERTY Optional Service Catalog product configuration for governed self-service deployment enabling controlled infrastructure provisioning and governance. When specified, deploys the module as a Service Catalog product instead of direct deployment for governed access and compliance.

Use cases: Governed deployment; Self-service provisioning; Service Catalog integration; Controlled access

AWS: Service Catalog product configuration for governed infrastructure deployment and self-service provisioning

Validation: Must be valid MdaaServiceCatalogProductConfig if provided; enables Service Catalog deployment mode

Property	Pattern	Type	Deprecated	Definition	Title/Description
- launch_role_name	No	string	No	-	IAM role name that will be used to launch the Service Catalog product
+ name	No	string	No	-	Display name for the Service Catalog product that will be visible to end users in the Service Catalog console
+ owner	No	string	No	-	Owner identifier for the Service Catalog product, typically representing the team or organization
- parameters	No	object	No	-	Object containing named parameter configurations for the Service Catalog product
+ portfolio_arn	No	string	No	-	ARN of the AWS Service Catalog portfolio where the product will be associated
+ portfolio_bucket_name	No	string	No	-	-

11.1. Property `root > service_catalog_product_config > launch_role_name`


Type	`string`
Required	No

Description: IAM role name that will be used to launch the Service Catalog product

11.2. Property `root > service_catalog_product_config > name`


Type	`string`
Required	Yes

Description: Display name for the Service Catalog product that will be visible to end users in the Service Catalog console

11.3. Property `root > service_catalog_product_config > owner`


Type	`string`
Required	Yes

Description: Owner identifier for the Service Catalog product, typically representing the team or organization

11.4. Property `root > service_catalog_product_config > parameters`


Type	`object`
Required	No
Additional properties	Each additional property must conform to the schema

Description: Object containing named parameter configurations for the Service Catalog product

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	In #/definitions/MdaaServiceCatalogParameterConfig	-

11.4.1. Property `root > service_catalog_product_config > parameters > MdaaServiceCatalogParameterConfig`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MdaaServiceCatalogParameterConfig

Property	Pattern	Type	Deprecated	Definition	Title/Description
- constraints	No	object	No	In #/definitions/MdaaServiceCatalogConstraintConfig	Constraint configuration that defines additional validation rules for the Service Catalog product parameter
+ props	No	object	No	Same as cfnParamProps	CloudFormation parameter properties that define the parameter characteristics including type,

11.4.1.1. Property `root > service_catalog_product_config > parameters > additionalProperties > constraints`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MdaaServiceCatalogConstraintConfig

Description: Constraint configuration that defines additional validation rules for the Service Catalog product parameter

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ description	No	string	No	-	Human-readable description explaining the purpose and scope of the Service Catalog constraint
+ rules	No	object	No	-	Object containing named constraint rules that define the validation logic for Service Catalog product parameters

11.4.1.1.1. Property `root > service_catalog_product_config > parameters > additionalProperties > constraints > description`


Type	`string`
Required	Yes

Description: Human-readable description explaining the purpose and scope of the Service Catalog constraint

11.4.1.1.2. Property `root > service_catalog_product_config > parameters > additionalProperties > constraints > rules`


Type	`object`
Required	Yes
Additional properties	Each additional property must conform to the schema

Description: Object containing named constraint rules that define the validation logic for Service Catalog product parameters

Property	Pattern	Type	Deprecated	Definition	Title/Description
-	No	object	No	In #/definitions/MdaaServiceCatalogConstraintRuleConfig	-

11.4.1.1.2.1. Property `root > service_catalog_product_config > parameters > additionalProperties > constraints > rules > MdaaServiceCatalogConstraintRuleConfig`


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MdaaServiceCatalogConstraintRuleConfig

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ assertions	No	array	No	-	Array of constraint assertions that define the validation logic to be applied when the condition is met
+ condition	No	object	No	In #/definitions/MdaaServiceCatalogConstraintRuleCondititionConfig	Condition configuration that determines when the constraint rule assertions should be evaluated

11.4.1.1.2.1.1. Property `root > service_catalog_product_config > parameters > additionalProperties > constraints > rules > additionalProperties > assertions`


Type	`array`
Required	Yes

Description: Array of constraint assertions that define the validation logic to be applied when the condition is met

	Array restrictions
Min items	N/A
Max items	N/A
Items unicity	False
Additional items	False
Tuple validation	See below

Each item of this array must be	Description
MdaaServiceCatalogConstraintRuleAssertionConfig	-

11.4.1.1.2.1.1.1. root > service_catalog_product_config > parameters > additionalProperties > constraints > rules > additionalProperties > assertions > MdaaServiceCatalogConstraintRuleAssertionConfig


Type	`object`
Required	No
Additional properties	Not allowed
Defined in	#/definitions/MdaaServiceCatalogConstraintRuleAssertionConfig

Property	Pattern	Type	Deprecated	Definition	Title/Description
+ assert	No	string	No	-	Constraint assertion expression that defines the validation logic for Service Catalog product parameters
+ description	No	string	No	-	Human-readable description explaining the purpose and requirements of the constraint assertion

11.4.1.1.2.1.1.1.1. Property `root > service_catalog_product_config > parameters > additionalProperties > constraints > rules > additionalProperties > assertions > assertions items > assert`


Type	`string`
Required	Yes

Description: Constraint assertion expression that defines the validation logic for Service Catalog product parameters

11.4.1.1.2.1.1.1.2. Property `root > service_catalog_product_config > parameters > additionalProperties > constraints > rules > additionalProperties > assertions > assertions items > description`


Type	`string`
Required	Yes

Description: Human-readable description explaining the purpose and requirements of the constraint assertion

11.4.1.1.2.1.2. Property `root > service_catalog_product_config > parameters > additionalProperties > constraints > rules > additionalProperties > condition`


Type	`object`
Required	Yes
Additional properties	Any type allowed
Defined in	#/definitions/MdaaServiceCatalogConstraintRuleCondititionConfig

Description: Condition configuration that determines when the constraint rule assertions should be evaluated

11.4.1.2. Property `root > service_catalog_product_config > parameters > additionalProperties > props`


Type	`object`
Required	Yes
Additional properties	Not allowed
Same definition as	cfnParamProps

Description: CloudFormation parameter properties that define the parameter characteristics including type,

11.5. Property `root > service_catalog_product_config > portfolio_arn`


Type	`string`
Required	Yes

Description: ARN of the AWS Service Catalog portfolio where the product will be associated

11.6. Property `root > service_catalog_product_config > portfolio_bucket_name`


Type	`string`
Required	Yes

Schema Docs

1. Property root > bucketName

2. Property root > deploymentRoleArn

3. Property root > functions

3.1. root > functions > FunctionProps

3.1.1. Property root > functions > functions items > additionalResourcePermissions

3.1.1.1. Property root > functions > functions items > additionalResourcePermissions > AdditionalResourcePermission

3.1.1.1.1. Property root > functions > functions items > additionalResourcePermissions > additionalProperties > action

3.1.1.1.2. Property root > functions > functions items > additionalResourcePermissions > additionalProperties > principal

3.1.1.1.3. Property root > functions > functions items > additionalResourcePermissions > additionalProperties > sourceAccount

3.1.1.1.4. Property root > functions > functions items > additionalResourcePermissions > additionalProperties > sourceArn

3.1.2. Property root > functions > functions items > alarms

3.1.2.1. root > functions > functions items > alarms > AlarmProps

3.1.2.1.1. Property root > functions > functions items > alarms > alarms items > actionsEnabled

3.1.2.1.2. Property root > functions > functions items > alarms > alarms items > alarmActions

3.1.2.1.2.1. root > functions > functions items > alarms > alarms items > alarmActions > alarmActions items

3.1.2.1.3. Property root > functions > functions items > alarms > alarms items > alarmDescription

3.1.2.1.4. Property root > functions > functions items > alarms > alarms items > alarmName

3.1.2.1.5. Property root > functions > functions items > alarms > alarms items > comparisonOperator

3.1.2.1.6. Property root > functions > functions items > alarms > alarms items > datapointsToAlarm

3.1.2.1.7. Property root > functions > functions items > alarms > alarms items > dimensions

3.1.2.1.7.1. Property root > functions > functions items > alarms > alarms items > dimensions > additionalProperties

3.1.2.1.8. Property root > functions > functions items > alarms > alarms items > evaluationPeriods

3.1.2.1.9. Property root > functions > functions items > alarms > alarms items > insufficientDataActions

3.1.2.1.9.1. root > functions > functions items > alarms > alarms items > insufficientDataActions > insufficientDataActions items

3.1.2.1.10. Property root > functions > functions items > alarms > alarms items > metricName

3.1.2.1.11. Property root > functions > functions items > alarms > alarms items > metrics

3.1.2.1.11.1. root > functions > functions items > alarms > alarms items > metrics > MetricDataQueryProps

3.1.2.1.11.1.1. Property root > functions > functions items > alarms > alarms items > metrics > metrics items > dimensions

3.1.2.1.11.1.1.1. Property root > functions > functions items > alarms > alarms items > metrics > metrics items > dimensions > additionalProperties

3.1.2.1.11.1.2. Property root > functions > functions items > alarms > alarms items > metrics > metrics items > expression

3.1.2.1.11.1.3. Property root > functions > functions items > alarms > alarms items > metrics > metrics items > id

3.1.2.1.11.1.4. Property root > functions > functions items > alarms > alarms items > metrics > metrics items > label

3.1.2.1.11.1.5. Property root > functions > functions items > alarms > alarms items > metrics > metrics items > metricName

3.1.2.1.11.1.6. Property root > functions > functions items > alarms > alarms items > metrics > metrics items > namespace

3.1.2.1.11.1.7. Property root > functions > functions items > alarms > alarms items > metrics > metrics items > period

3.1.2.1.11.1.8. Property root > functions > functions items > alarms > alarms items > metrics > metrics items > returnData

3.1.2.1.11.1.9. Property root > functions > functions items > alarms > alarms items > metrics > metrics items > statistic

3.1.2.1.11.1.10. Property root > functions > functions items > alarms > alarms items > metrics > metrics items > unit

3.1.2.1.12. Property root > functions > functions items > alarms > alarms items > namespace

3.1.2.1.13. Property root > functions > functions items > alarms > alarms items > okActions

3.1.2.1.13.1. root > functions > functions items > alarms > alarms items > okActions > okActions items

3.1.2.1.14. Property root > functions > functions items > alarms > alarms items > period

3.1.2.1.15. Property root > functions > functions items > alarms > alarms items > statistic

3.1.2.1.16. Property root > functions > functions items > alarms > alarms items > threshold

3.1.2.1.17. Property root > functions > functions items > alarms > alarms items > treatMissingData

3.1.2.1.18. Property root > functions > functions items > alarms > alarms items > unit

3.1.3. Property root > functions > functions items > description

3.1.4. Property root > functions > functions items > dockerBuild

3.1.5. Property root > functions > functions items > environment

3.1.5.1. Property root > functions > functions items > environment > additionalProperties

3.1.6. Property root > functions > functions items > ephemeralStorageSizeMB

3.1.7. Property root > functions > functions items > eventBridge

3.1.7.1. Property root > functions > functions items > eventBridge > eventBridgeRules

3.1.7.1.1. Property root > functions > functions items > eventBridge > eventBridgeRules > EventBridgeRuleProps

3.1.7.1.1.1. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > description

3.1.7.1.1.2. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventBusArn

3.1.7.1.1.3. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern

3.1.7.1.1.3.1. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > account

3.1.7.1.1.3.1.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > account > account items

3.1.7.1.1.3.2. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > detail

3.1.7.1.1.3.2.1. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > detail > additionalProperties

3.1.7.1.1.3.3. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > detailType

3.1.7.1.1.3.3.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > detailType > detailType items

3.1.7.1.1.3.4. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > id

3.1.7.1.1.3.4.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > id > id items

3.1.7.1.1.3.5. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > region

3.1.7.1.1.3.5.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > region > region items

3.1.7.1.1.3.6. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > resources

3.1.7.1.1.3.6.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > resources > resources items

3.1.7.1.1.3.7. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > source

3.1.7.1.1.3.7.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > source > source items

3.1.7.1.1.3.8. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > time

3.1.7.1.1.3.8.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > time > time items

3.1.7.1.1.3.9. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > version

3.1.7.1.1.3.9.1. root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > version > version items

3.1.7.1.1.4. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > input

3.1.7.1.1.5. Property root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > scheduleExpression

3.1.7.2. Property root > functions > functions items > eventBridge > maxEventAgeSeconds

3.1.7.3. Property root > functions > functions items > eventBridge > retryAttempts

1. Property `root > bucketName`

2. Property `root > deploymentRoleArn`

3. Property `root > functions`

3.1.1. Property `root > functions > functions items > additionalResourcePermissions`

3.1.1.1. Property `root > functions > functions items > additionalResourcePermissions > AdditionalResourcePermission`

3.1.1.1.1. Property `root > functions > functions items > additionalResourcePermissions > additionalProperties > action`

3.1.1.1.2. Property `root > functions > functions items > additionalResourcePermissions > additionalProperties > principal`

3.1.1.1.3. Property `root > functions > functions items > additionalResourcePermissions > additionalProperties > sourceAccount`

3.1.1.1.4. Property `root > functions > functions items > additionalResourcePermissions > additionalProperties > sourceArn`

3.1.2. Property `root > functions > functions items > alarms`

3.1.2.1.1. Property `root > functions > functions items > alarms > alarms items > actionsEnabled`

3.1.2.1.2. Property `root > functions > functions items > alarms > alarms items > alarmActions`

3.1.2.1.3. Property `root > functions > functions items > alarms > alarms items > alarmDescription`

3.1.2.1.4. Property `root > functions > functions items > alarms > alarms items > alarmName`

3.1.2.1.5. Property `root > functions > functions items > alarms > alarms items > comparisonOperator`

3.1.2.1.6. Property `root > functions > functions items > alarms > alarms items > datapointsToAlarm`

3.1.2.1.7. Property `root > functions > functions items > alarms > alarms items > dimensions`

3.1.2.1.7.1. Property `root > functions > functions items > alarms > alarms items > dimensions > additionalProperties`

3.1.2.1.8. Property `root > functions > functions items > alarms > alarms items > evaluationPeriods`

3.1.2.1.9. Property `root > functions > functions items > alarms > alarms items > insufficientDataActions`

3.1.2.1.10. Property `root > functions > functions items > alarms > alarms items > metricName`

3.1.2.1.11. Property `root > functions > functions items > alarms > alarms items > metrics`

3.1.2.1.11.1.1. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > dimensions`

3.1.2.1.11.1.1.1. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > dimensions > additionalProperties`

3.1.2.1.11.1.2. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > expression`

3.1.2.1.11.1.3. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > id`

3.1.2.1.11.1.4. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > label`

3.1.2.1.11.1.5. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > metricName`

3.1.2.1.11.1.6. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > namespace`

3.1.2.1.11.1.7. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > period`

3.1.2.1.11.1.8. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > returnData`

3.1.2.1.11.1.9. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > statistic`

3.1.2.1.11.1.10. Property `root > functions > functions items > alarms > alarms items > metrics > metrics items > unit`

3.1.2.1.12. Property `root > functions > functions items > alarms > alarms items > namespace`

3.1.2.1.13. Property `root > functions > functions items > alarms > alarms items > okActions`

3.1.2.1.14. Property `root > functions > functions items > alarms > alarms items > period`

3.1.2.1.15. Property `root > functions > functions items > alarms > alarms items > statistic`

3.1.2.1.16. Property `root > functions > functions items > alarms > alarms items > threshold`

3.1.2.1.17. Property `root > functions > functions items > alarms > alarms items > treatMissingData`

3.1.2.1.18. Property `root > functions > functions items > alarms > alarms items > unit`

3.1.3. Property `root > functions > functions items > description`

3.1.4. Property `root > functions > functions items > dockerBuild`

3.1.5. Property `root > functions > functions items > environment`

3.1.5.1. Property `root > functions > functions items > environment > additionalProperties`

3.1.6. Property `root > functions > functions items > ephemeralStorageSizeMB`

3.1.7. Property `root > functions > functions items > eventBridge`

3.1.7.1. Property `root > functions > functions items > eventBridge > eventBridgeRules`

3.1.7.1.1. Property `root > functions > functions items > eventBridge > eventBridgeRules > EventBridgeRuleProps`

3.1.7.1.1.1. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > description`

3.1.7.1.1.2. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventBusArn`

3.1.7.1.1.3. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern`

3.1.7.1.1.3.1. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > account`

3.1.7.1.1.3.2. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > detail`

3.1.7.1.1.3.2.1. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > detail > additionalProperties`

3.1.7.1.1.3.3. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > detailType`

3.1.7.1.1.3.4. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > id`

3.1.7.1.1.3.5. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > region`

3.1.7.1.1.3.6. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > resources`

3.1.7.1.1.3.7. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > source`

3.1.7.1.1.3.8. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > time`

3.1.7.1.1.3.9. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > eventPattern > version`

3.1.7.1.1.4. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > input`

3.1.7.1.1.5. Property `root > functions > functions items > eventBridge > eventBridgeRules > additionalProperties > scheduleExpression`

3.1.7.2. Property `root > functions > functions items > eventBridge > maxEventAgeSeconds`

3.1.7.3. Property `root > functions > functions items > eventBridge > retryAttempts`

3.1.7.4. Property `root > functions > functions items > eventBridge > s3EventBridgeRules`

3.1.7.4.1. Property `root > functions > functions items > eventBridge > s3EventBridgeRules > S3EventBridgeRuleProps`

3.1.7.4.1.1. Property `root > functions > functions items > eventBridge > s3EventBridgeRules > additionalProperties > buckets`

3.1.7.4.1.2. Property `root > functions > functions items > eventBridge > s3EventBridgeRules > additionalProperties > eventBusArn`

3.1.7.4.1.3. Property `root > functions > functions items > eventBridge > s3EventBridgeRules > additionalProperties > prefixes`

3.1.8. Property `root > functions > functions items > functionName`

3.1.9. Property `root > functions > functions items > generatedLayerNames`

3.1.10. Property `root > functions > functions items > grantInvoke`

3.1.11. Property `root > functions > functions items > handler`

3.1.12. Property `root > functions > functions items > layerArns`

3.1.12.1. Property `root > functions > functions items > layerArns > additionalProperties`

3.1.13. Property `root > functions > functions items > logInsightsQueries`

3.1.13.1.1. Property `root > functions > functions items > logInsightsQueries > logInsightsQueries items > logGroupNames`

3.1.13.1.2. Property `root > functions > functions items > logInsightsQueries > logInsightsQueries items > queryName`

3.1.13.1.3. Property `root > functions > functions items > logInsightsQueries > logInsightsQueries items > queryString`