aws.lr

// Copyright (c) Mondoo, Inc.
// SPDX-License-Identifier: BUSL-1.1

import "../../network/resources/network.lr"

option provider = "go.mondoo.com/cnquery/v9/providers/aws"
option go_package = "go.mondoo.com/mql/v13/providers/aws/resources"

alias aws.accessAnalyzer = aws.iam.accessAnalyzer
alias aws.accessAnalyzer.analyzer = aws.iam.accessanalyzer.analyzer

// AWS resource
aws @defaults("account.id") {
  // List of `aws.vpc` objects representing all VPCs in the account across all enabled regions
  vpcs() []aws.vpc
  // List of all enabled regions in the account
  regions() []string
}

// AWS Account
aws.account @defaults("id aliases.first organization.id") {
  // Account ID
  id string
  // Account aliases
  aliases() []string
  // Information about the associated organization, if any
  organization() aws.organization
  // Tags on the account
  // Note: This operation can only be called from the organization's management
  // account or by a member account that is a delegated administrator for an
  // Amazon Web Services service.
  tags() map[string]string

  // Primary contact information for the account
  contactInformation() dict

  // All alternate contacts configured for the account
  alternateContacts() []aws.account.alternateContact

  // Security alternate contact for the account
  securityContact() aws.account.alternateContact

  // Billing alternate contact for the account
  billingContact() aws.account.alternateContact

  // Operations alternate contact for the account
  operationsContact() aws.account.alternateContact
}

// AWS Account alternate contact
private aws.account.alternateContact @defaults("contactType name emailAddress") {
  // Account ID this contact belongs to
  accountId string
  // Type of alternate contact: BILLING, OPERATIONS, or SECURITY
  contactType string
  // Email address of the contact
  emailAddress string
  // Name of the contact
  name string
  // Phone number of the contact
  phoneNumber string
  // Title of the contact
  title string
  // Whether this contact exists and is configured
  exists bool
}

// AWS Organization resource
aws.organization @defaults("id masterAccountEmail") {
  // ARN of the organization
  arn string
  // Functionality available to org: ALL or CONSOLIDATED_BILLING
  featureSet string
  // ID of the organization's master account
  masterAccountId string
  // Email owner of the organization's master account
  masterAccountEmail string
  // List of accounts that belong to the organization, if available to the caller
  accounts() []aws.account
  // Organization ID
  id string
  // List of delegated administrator accounts in the organization
  delegatedAdministrators() []aws.organization.delegatedAdministrator
}

// AWS Organization delegated administrator
private aws.organization.delegatedAdministrator @defaults("name email") {
  // ARN of the delegated administrator account
  arn string
  // Account ID of the delegated administrator
  accountId string
  // Friendly name of the account
  name string
  // Email address associated with the account
  email string
  // Account status: ACTIVE, SUSPENDED, or PENDING_CLOSURE
  status string
  // Method the account joined the organization: INVITED or CREATED
  joinedMethod string
  // Date the account joined the organization
  joinedTimestamp time
  // Date the account was made a delegated administrator
  delegationEnabledDate time
  // AWS services for which this account is a delegated administrator
  delegatedServices() []aws.organization.delegatedService
  // The account resource
  account() aws.account
}

// AWS Organization delegated service
private aws.organization.delegatedService @defaults("servicePrincipal") {
  // Service principal name (e.g., "guardduty.amazonaws.com")
  servicePrincipal string
  // Date the account became a delegated administrator for this service
  delegationEnabledDate time
}

// Amazon Virtual Private Cloud (VPC)
aws.vpc @defaults("id isDefault cidrBlock region") {
  // ARN of the VPC
  arn string
  // ID of the VPC
  id string
  // Name of the VPC
  name string
  // IPv4 CIDR block of the VPC
  cidrBlock string
  // State of the VPC: pending or available
  state string
  // Whether the VPC is the default VPC
  isDefault bool
  // How instance hardware tenancy settings are enforced on instances launched in this VPC
  instanceTenancy string
  // Region in which the VPC exists
  region string
  // List of endpoints for the VPC
  endpoints() []aws.vpc.endpoint
  // List of flow logs for the VPC
  flowLogs() []aws.vpc.flowlog
  // List of route tables for the VPC
  routeTables() []aws.vpc.routetable
  // List of subnets for the VPC
  subnets() []aws.vpc.subnet
  // Tags on the VPC
  tags map[string]string
  // NAT gateways
  natGateways() []aws.vpc.natgateway
  // List of service endpoints associated with the VPC
  serviceEndpoints() []aws.vpc.serviceEndpoint
  // List of peering connections associated with the VPC
  peeringConnections() []aws.vpc.peeringConnection
  // Internet gateway blocking mode: block-bidirectional, block-ingress, or off
  internetGatewayBlockMode string
  // ID of the set of DHCP options associated with the VPC
  dhcpOptionsId string
  // Internet gateways attached to the VPC
  internetGateways() []aws.ec2.internetgateway
  // Security groups in this VPC
  securityGroups() []aws.ec2.securitygroup
  // Network ACLs in this VPC
  networkAcls() []aws.ec2.networkacl
  // Virtual private gateways attached to the VPC
  vpnGateways() []aws.vpc.vpnGateway
}

// Amazon Virtual Private Cloud (VPC) route table
private aws.vpc.routetable @defaults("id routes.length") {
  // ARN of the route table
  arn string
  // A list of association descriptions
  associations() []aws.vpc.routetable.association
  // Unique ID of the route table
  id string
  // Region where the route table exists
  region string
  // Deprecated: Use `routeEntries` instead
  routes []dict
  // List of routes in the route table
  routeEntries() []aws.vpc.routetable.route
  // Tags on the route table
  tags map[string]string
}

// Amazon Virtual Private Cloud (VPC) route table route entry
private aws.vpc.routetable.route @defaults("destinationCidrBlock state") {
  // Unique ID for this route (route table ID + destination)
  id string
  // IPv4 CIDR block used for the destination match
  destinationCidrBlock string
  // IPv6 CIDR block used for the destination match
  destinationIpv6CidrBlock string
  // Prefix list ID for the destination match
  destinationPrefixListId string
  // ID of a gateway attached to the VPC
  gatewayId string
  // ID of a NAT instance in the VPC
  instanceId string
  // ID of the Amazon Web Services account that owns the instance
  instanceOwnerId string
  // ID of the network interface
  networkInterfaceId string
  // ID of a NAT gateway
  natGatewayId string
  // ID of a transit gateway
  transitGatewayId string
  // ID of a VPC peering connection
  vpcPeeringConnectionId string
  // ID of the egress-only internet gateway
  egressOnlyInternetGatewayId string
  // ID of the local gateway
  localGatewayId string
  // ID of the carrier gateway
  carrierGatewayId string
  // ARN of the core network
  coreNetworkArn string
  // How the route was created (CreateRouteTable, CreateRoute, EnableVgwRoutePropagation)
  origin string
  // State of the route (active, blackhole)
  state string
}

// Amazon Virtual Private Cloud (VPC) route table association
private aws.vpc.routetable.association @defaults("routeTableAssociationId gatewayId") {
  // Unique ID of the association
  routeTableAssociationId string
  // Association state
  associationsState dict
  // Unique ID of the associated gateway
  gatewayId string
  // Whether this is the main association
  main bool
  // Unique ID of the route table
  routeTableId string
  // Subnet of the route table association
  subnet() aws.vpc.subnet
}

// Amazon Virtual Private Cloud (VPC) subnet
private aws.vpc.subnet @defaults("id cidrs region availabilityZone defaultForAvailabilityZone") {
  // ARN of the subnet
  arn string
  // Unique ID of the subnet
  id string
  // Name of the subnet (from tags)
  name string
  // List of CIDR descriptions
  cidrs string
  // Whether instances launched in this subnet receive public IPv4 addresses
  mapPublicIpOnLaunch bool
  // Availability zone where this subnet is located
  availabilityZone string
  // Whether this is the default subnet for the availability zone
  defaultForAvailabilityZone bool
  // Whether a network interface created in this subnet (including a network interface created by RunInstances ) receives an IPv6 address
  assignIpv6AddressOnCreation bool
  // State of the subnet: pending, available, unavailable, failed, or failed-insufficient-capacity
  state string
  // Region in which the VPC subnet exists
  region string
  // The number of available IP addresses in the subnet
  availableIpAddressCount int
  // Internet gateway blocking mode: block-bidirectional, block-ingress, or off
  internetGatewayBlockMode string
  // Tags on the subnet
  tags map[string]string
  // Route table associated with this subnet
  routeTable() aws.vpc.routetable
}

// Amazon Virtual Private Cloud (VPC) endpoint
private aws.vpc.endpoint @defaults("id type region") {
  // Unique ID of the endpoint
  id string
  // Type of the endpoint
  type string
  // VPC in which the endpoint exists
  vpc string
  // Region in which the VPC endpoint exists
  region string
  // Endpoint service name
  serviceName string
  // Policy document associated with the endpoint, if applicable
  policyDocument string
  // Subnets for the (interface) endpoint
  subnets []string
  // Whether to associate a private hosted zone with the specified VPC
  privateDnsEnabled bool
  // VPC endpoint state
  state string
  // Creation timestamp
  createdAt time
}

// Amazon Virtual Private Cloud (VPC) flow log
private aws.vpc.flowlog @defaults("id region status") {
  // Unique ID of the flow log
  id string
  // VPC in which the flow log exists
  vpc string
  // Region in which the VPC flow log exists
  region string
  // Status of the flow log
  status string
  // Tags on the flow log
  tags map[string]string
  // Creation timestamp
  createdAt time
  // Destination for the flow log data
  destination string
  // Destination type for the flow log data
  destinationType string
   // Delivery log status for the flow log data
  deliverLogsStatus string
  // Format for the flow log
  logFormat string
  // Maximum interval of time during which a flow of packets is captured and aggregated into a flow log record: 60 seconds (1 minute) or 600 seconds (10 minutes)
  maxAggregationInterval int
  // Type of traffic to monitor: ACCEPT, ALL, and REJECT
  trafficType string
}

// Amazon Virtual Private Cloud (VPC) virtual private gateway
private aws.vpc.vpnGateway @defaults("id state") {
  // ID of the virtual private gateway
  id string
  // ARN of the virtual private gateway
  arn string
  // Region where the virtual private gateway exists
  region string
  // State of the virtual private gateway: pending, available, deleting, or deleted
  state string
  // Type of VPN connection the virtual private gateway supports (ipsec.1)
  type string
  // Private Autonomous System Number (ASN) for the Amazon side of a BGP session
  amazonSideAsn int
  // Availability zone for the virtual private gateway
  availabilityZone string
  // VPC attachments for the virtual private gateway
  attachments []dict
  // Tags on the virtual private gateway
  tags map[string]string
}

// Amazon WAF v2
aws.waf {
  // List of WAF ACLs
  acls() []aws.waf.acl
  // List of WAF rules
  ruleGroups() []aws.waf.rulegroup
  // List of WAF IP sets
  ipSets() []aws.waf.ipset
  // List of WAF regex pattern sets
  regexPatternSets() []aws.waf.regexPatternSet
  // Scope either REGIONAL or CLOUDFRONT
  scope string
}

// Amazon WAF v2 ACL
private aws.waf.acl @defaults("name") {
  // ARN of the ACL
  arn string
  // ID of the ACL
  id string
  // Name of the ACL
  name string
  // Description of the ACL
  description string
  // Whether the ACL is managed by Firewall Manager
  managedByFirewallManager() bool
  // List of WAF rules
  rules() []aws.waf.rule
  // Scope either REGIONAL or CLOUDFRONT
  scope string
  // Logging configuration for the ACL
  loggingConfiguration() aws.waf.acl.loggingConfiguration
  // ARNs of resources associated with this web ACL
  associatedResources() []string
}

// Amazon WAF v2 RuleGroup
private aws.waf.rulegroup @defaults("name") {
  // ARN of the rulegroup
  arn string
  // ID of the rulegroup
  id string
  // Name of the rulegroup
  name string
  // Description of the rulegroup
  description string
  // List of waf rules
  rules() []aws.waf.rule
  // Scope either REGIONAL or CLOUDFRONT
  scope string
}

// Amazon WAF rule
private aws.waf.rule @defaults("name") {
  // ARN of the ACL/rule group combined with the rule name
  id string
  // Name of the rule
  name string
  // Priority from lowest to highest number
  priority int
  // Part of the rule that tells WAF how to inspect a web request
  statement aws.waf.rule.statement
  // Part of the rule that tells WAF what to do with a web request when it matches the criteria defined in the rule
  action aws.waf.rule.action
  // ARN of either rule ACL or the RuleGroup that this rule belongs to
  belongsTo string
}

// Action that happens if a rule statement matches
private aws.waf.rule.action @defaults("action") {
  // Name of the rule this action belongs to
  ruleName string
  // One of Block, Allow, Count, Captcha, Challenge, Excluded_as_Count
  action string
  // HTTP Response Code, only if the action is Block
  responseCode string
}

private aws.waf.rule.statement @defaults("kind") {
  // ID of the statement
  id string
  // Kind of statement, e.g., "sqliMatchStatement"
  kind string
  // Entire statement as JSON
  json dict
  // Statement that detects SQL injection attacks
  sqliMatchStatement aws.waf.rule.statement.sqlimatchstatement
  // Statement that detects XSS attacks
  xssMatchStatement aws.waf.rule.statement.xssmatchstatement
  // Statement that matches certain bytes
  byteMatchStatement aws.waf.rule.statement.bytematchstatement
  // Statement that matches a regex pattern
  regexMatchStatement aws.waf.rule.statement.regexmatchstatement
  // Statement that matches requests from certain countries
  geoMatchStatement aws.waf.rule.statement.geomatchstatement
  // Statement that matches requests from certain ips defined in an IPSet
  ipSetReferenceStatement aws.waf.rule.statement.ipsetreferencestatement
  // Statement that matches requests with certain labels
  labelMatchStatement aws.waf.rule.statement.labelmatchstatement
  // Statement managed by AWS
  managedRuleGroupStatement aws.waf.rule.statement.managedrulegroupstatement
  // Statement that matches if the conditions are not met
  notStatement aws.waf.rule.statement.notstatement
  // Statement that matches if one or many sub-statements match
  orStatement aws.waf.rule.statement.orstatement
  // Statement that matches if all sub-statements match
  andStatement aws.waf.rule.statement.andstatement
  // Statement that matches if a request comes in at a certain rate (rate limiting)
  rateBasedStatement aws.waf.rule.statement.ratebasedstatement
  // Statement that matches a regex pattern defined in a regex pattern set
  regexPatternSetReferenceStatement aws.waf.rule.statement.regexpatternsetreferencestatement
  // Statement that refers to the rules in a rule group
  ruleGroupReferenceStatement aws.waf.rule.statement.rulegroupreferencestatement
  // Statement that matches the size of the request
  sizeConstraintStatement aws.waf.rule.statement.sizeconstraintstatement
}

// Rule statement that checks for requests from certain countries
private aws.waf.rule.statement.geomatchstatement @defaults("countryCodes") {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Country codes
  countryCodes []string
}

// Rule statement that checks for requests from IP addresses defined in an IPSet
private aws.waf.rule.statement.ipsetreferencestatement {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // ARN of the ipset
  arn string
  // ipSetForwardedIPConfig
  ipSetForwardedIPConfig aws.waf.rule.statement.ipsetreferencestatement.ipsetforwardedipconfig
}

private aws.waf.rule.statement.ipsetreferencestatement.ipsetforwardedipconfig {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Name of the header
  headerName string
  // Position
  position string
  // Fallback behavior
  fallbackBehavior string
}

private aws.waf.rule.statement.labelmatchstatement {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Key
  key string
  // Scope
  scope string
}

// Rule statement that is managed by AWS
private aws.waf.rule.statement.managedrulegroupstatement @defaults("name") {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Name
  name string
  // Vendor name
  vendorName string
}

// Rule statement that matches if all of the rule statements inside it match
private aws.waf.rule.statement.andstatement {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Sub-statements
  statements []aws.waf.rule.statement
}

// Rule statement that negates another rule statement
private aws.waf.rule.statement.notstatement {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Sub-statement (will be negated)
  statement aws.waf.rule.statement
}

// Rule statement that matches if one of the rule statements inside it matches
private aws.waf.rule.statement.orstatement {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Sub-statements
  statements []aws.waf.rule.statement
}

// Rule statement that matches at a certain rate of requests (rate limiting)
private aws.waf.rule.statement.ratebasedstatement {}

// Rule statement that checks for a regex pattern defined in a regex pattern set
private aws.waf.rule.statement.regexpatternsetreferencestatement {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // ARN of the regex pattern set
  arn string
  // Field that is matched
  fieldToMatch aws.waf.rule.fieldtomatch
}

// Rule statement that refers to a group of rules
private aws.waf.rule.statement.rulegroupreferencestatement {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // ARN of the rule group
  arn string
  // List of rules to exclude
  excludeRules []string
}

// Rule statement that checks the size of the specified field
private aws.waf.rule.statement.sizeconstraintstatement {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Size that triggers this statement
  size int
  // How to compare the size
  comparisonOperator string
  // Field to match
  fieldToMatch aws.waf.rule.fieldtomatch
}

// Rule statement that matches a specified regex pattern
private aws.waf.rule.statement.regexmatchstatement {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Field to match
  fieldToMatch aws.waf.rule.fieldtomatch
  // Regex pattern to match
  regexString string
}

// Rule statement that matches a specified sequence of bytes
private aws.waf.rule.statement.bytematchstatement @defaults("searchString") {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Field to match
  fieldToMatch aws.waf.rule.fieldtomatch
  // String to search for
  searchString string
}

// Field to match
private aws.waf.rule.fieldtomatch @defaults("target") {
  target string
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Whether to match the HTTP method: GET or POST
  method bool
  // Whether to match the URI path
  uriPath bool
  // Whether to match the query string
  queryString bool
  // Whether to match all query arguments
  allQueryArguments bool
  // Whether to match the body (match if not null)
  body aws.waf.rule.fieldtomatch.body
  // Whether to match the cookie (match if not null)
  cookie aws.waf.rule.fieldtomatch.cookie
  // Whether to match the single header (match if not null)
  singleHeader aws.waf.rule.fieldtomatch.singleheader
  // Whether to match the header order (match if not null)
  headerOrder aws.waf.rule.fieldtomatch.headerorder
  // Whether to match the header (match if not null)
  headers aws.waf.rule.fieldtomatch.headers
  // Whether to match the JA3 fingerprint (match if not null)
  ja3Fingerprint aws.waf.rule.fieldtomatch.ja3fingerprint
  // Whether to match the JSON body (match if not null)
  jsonBody aws.waf.rule.fieldtomatch.jsonbody
  // Whether to match the single query argument of the field (match if not null)
  singleQueryArgument aws.waf.rule.fieldtomatch.singlequeryargument
}

// Body of the field to match
private aws.waf.rule.fieldtomatch.body {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // What to do if the body is over size
  overSizeHandling string
}

// Cookie of the field to match
private aws.waf.rule.fieldtomatch.cookie {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // What to do if the cookie is over size
  overSizeHandling string
}

// Order of headers of the field to match
private aws.waf.rule.fieldtomatch.headerorder {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // What to do if the order of headers is over size
  overSizeHandling string
}

// Single header of the field to match
private aws.waf.rule.fieldtomatch.singleheader {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Name of the header
  name string
}

// Single query argument
private aws.waf.rule.fieldtomatch.singlequeryargument {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Name of the query argument
  name string
}

// JA3 fingerprint
private aws.waf.rule.fieldtomatch.ja3fingerprint {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // FallbackBehavior
  fallbackBehavior string
}

// Request body as JSON
private aws.waf.rule.fieldtomatch.jsonbody {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // What to do if the body is over size
  overSizeHandling string
  // Match scope
  matchScope string
  // What to do if the body is not valid JSON
  invalidFallbackBehavior string
  // Match pattern
  matchPattern aws.waf.rule.fieldtomatch.jsonbody.matchpattern
}

// Pattern to match
private aws.waf.rule.fieldtomatch.jsonbody.matchpattern {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Whether to match all
  all bool
  // Paths to include
  includePaths []string
}

// Headers
private aws.waf.rule.fieldtomatch.headers {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Match scope
  matchScope string
  // What to do if the headers are over size
  overSizeHandling string
  // Match pattern
  matchPattern aws.waf.rule.fieldtomatch.headers.matchpattern
}

// Pattern to match
private aws.waf.rule.fieldtomatch.headers.matchpattern {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Whether to match all
  all bool
  // Headers to include
  includeHeaders []string
  // Headers to exclude
  excludeHeaders []string
}


// Statement that matches XSS attacks
private aws.waf.rule.statement.xssmatchstatement {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Field to match
  fieldToMatch aws.waf.rule.fieldtomatch
}

// Statement that matches SQLI attacks
private aws.waf.rule.statement.sqlimatchstatement {
  // Name of the rule this statement belongs to
  ruleName string
  // ID of the statement
  statementID string
  // Field to match
  fieldToMatch aws.waf.rule.fieldtomatch
  // How aggressive the statement matches
  sensitivityLevel string
}


// Amazon WAF IP set (defining IP Ranges)
private aws.waf.ipset @defaults("name") {
  // ARN of the IP set
  arn string
  // ID of the IP set
  id string
  // Scope: REGIONAL or CLOUDFRONT
  scope string
  // Name of the IP set
  name string
  // Description of the IP set
  description string
  // Address type: ipv4 or ipv6
  addressType() string
  // List of IP addresses
  addresses() dict
}

// Amazon WAF regex pattern set
private aws.waf.regexPatternSet @defaults("name") {
  // ARN of the regex pattern set
  arn string
  // ID of the regex pattern set
  id string
  // Scope: REGIONAL or CLOUDFRONT
  scope string
  // Name of the regex pattern set
  name string
  // Description of the regex pattern set
  description string
  // List of regular expression patterns
  regularExpressions []string
}

// Amazon WAF ACL logging configuration
private aws.waf.acl.loggingConfiguration @defaults("arn") {
  // ARN of the web ACL this logging config belongs to
  arn string
  // Log destination ARNs (CloudWatch, S3, or Firehose)
  logDestinationConfigs []string
  // Whether managed by Firewall Manager
  managedByFirewallManager bool
  // Fields that are redacted from logs
  redactedFields []string
}

// AWS Network Firewall
aws.networkfirewall @defaults("firewalls") {
  // List of Network Firewall firewalls
  firewalls() []aws.networkfirewall.firewall
  // List of Network Firewall policies
  policies() []aws.networkfirewall.policy
  // List of Network Firewall rule groups
  ruleGroups() []aws.networkfirewall.rulegroup
}

// AWS Network Firewall firewall
private aws.networkfirewall.firewall @defaults("arn name region") {
  // ARN of the firewall
  arn string
  // Name of the firewall
  name string
  // Description of the firewall
  description string
  // Region of the firewall
  region string
  // VPC where the firewall is deployed
  vpc() aws.vpc
  // Whether delete protection is enabled
  deleteProtection bool
  // Whether subnet change protection is enabled
  subnetChangeProtection bool
  // Whether the firewall policy change protection is enabled
  firewallPolicyChangeProtection bool
  // ARN of the firewall policy associated with the firewall
  firewallPolicyArn string
  // Firewall policy associated with this firewall
  policy() aws.networkfirewall.policy
  // Subnet mappings for the firewall
  subnetMappings []dict
  // Encryption configuration
  encryptionConfiguration dict
  // Tags on the firewall
  tags map[string]string
}

// AWS Network Firewall policy
private aws.networkfirewall.policy @defaults("arn name region") {
  // ARN of the firewall policy
  arn string
  // Name of the firewall policy
  name string
  // Description of the firewall policy
  description string
  // Region of the firewall policy
  region string
  // Stateless default actions for packets
  statelessDefaultActions []string
  // Stateless default actions for fragmented packets
  statelessFragmentDefaultActions []string
  // Stateless rule group references
  statelessRuleGroupReferences []dict
  // Stateful default actions
  statefulDefaultActions []string
  // Stateful rule group references
  statefulRuleGroupReferences []dict
  // Stateful engine options
  statefulEngineOptions dict
  // Tags on the firewall policy
  tags map[string]string
}

// AWS Network Firewall rule group
private aws.networkfirewall.rulegroup @defaults("arn name region") {
  // ARN of the rule group
  arn string
  // Name of the rule group
  name string
  // Description of the rule group
  description string
  // Region of the rule group
  region string
  // Capacity of the rule group
  capacity int
  // Type of the rule group (STATELESS or STATEFUL)
  type string
  // Rules definition
  rules dict
  // Tags on the rule group
  tags map[string]string
}

// AWS Elastic File System (EFS) service
aws.efs @defaults("filesystems") {
  // A list of file systems managed by the service
  filesystems() []aws.efs.filesystem
}

// AWS Elastic File System (EFS) file system
private aws.efs.filesystem @defaults("name id region") {
  // Name of the file system
  name string
  // ID of the file system
  id string
  // ARN of the file system
  arn string
  // Whether the file system is encrypted
  encrypted bool
  // KMS key used for encryption of the file system
  kmsKey() aws.kms.key
  // Backup policy for the file system
  backupPolicy() dict
  // Region in which the file system exists
  region string
  // Availability zone where the file system exists if a specific AZ is defined
  availabilityZone string
  // Tags for the file system
  tags map[string]string
  // Creation timestamp
  createdAt time
  // Mount targets for the file system
  mountTargets() []aws.efs.mountTarget
  // Access points for the file system
  accessPoints() []aws.efs.accessPoint
  // Resource-based policy document (JSON)
  fileSystemPolicy() string
}

// AWS EFS mount target
private aws.efs.mountTarget @defaults("mountTargetId subnetId") {
  // Mount target ID
  mountTargetId string
  // Associated file system ID
  fileSystemId string
  // Subnet ID where mount target resides
  subnetId string
  // Availability zone
  availabilityZone string
  // IP address of mount target
  ipAddress string
  // Security groups attached to mount target
  securityGroups() []aws.ec2.securitygroup
  // Mount target state (creating, available, deleting)
  lifecycleState string
  // Network interface ID
  networkInterfaceId string
  // Region where the mount target exists
  region string
}

// AWS EFS access point
private aws.efs.accessPoint @defaults("accessPointId name") {
  // Access point ID
  accessPointId string
  // Access point ARN
  arn string
  // Associated file system ID
  fileSystemId string
  // Access point name
  name string
  // POSIX user identity (uid, gid, secondaryGids)
  posixUser dict
  // Root directory configuration (path, creationInfo)
  rootDirectory dict
  // Access point state
  lifecycleState string
  // Resource tags
  tags map[string]string
  // Region where the access point exists
  region string
}

// AWS FSx service
aws.fsx @defaults("fileSystems") {
  // A list of FSx file systems
  fileSystems() []aws.fsx.filesystem
  // A list of Amazon File Cache instances
  caches() []aws.fsx.cache
  // A list of FSx backups
  backups() []aws.fsx.backup
  // A list of FSx volumes (ONTAP and OpenZFS)
  volumes() []aws.fsx.volume
}

// AWS FSx file system
private aws.fsx.filesystem @defaults("id type region") {
  // File system ID
  id string
  // File system ARN
  arn string
  // File system type (LUSTRE, WINDOWS, ONTAP, OPENZFS)
  type string
  // Lifecycle status
  lifecycle string
  // Storage capacity in GiB
  storageCapacity int
  // Storage type (SSD, HDD)
  storageType string
  // Whether file system is encrypted at rest (true if kmsKeyId is set)
  encrypted() bool
  // KMS key ID used for encryption
  // Deprecated: use kmsKey() instead
  kmsKeyId string
  // KMS key used for encryption
  kmsKey() aws.kms.key
  // VPC ID where file system resides
  // Deprecated: use vpc() instead
  vpcId string
  // VPC where the file system resides
  vpc() aws.vpc
  // Subnet IDs for file system
  subnetIds []string
  // Resource tags
  tags map[string]string
  // Creation timestamp
  createdAt time
  // Region where the file system exists
  region string
}

// AWS Amazon File Cache instance
private aws.fsx.cache @defaults("id lifecycle") {
  // Cache ID
  id string
  // Cache ARN
  arn string
  // Lifecycle status
  lifecycle string
  // Storage capacity in TiB
  storageCapacity int
  // VPC ID
  // Deprecated: use vpc() instead
  vpcId string
  // VPC where the cache resides
  vpc() aws.vpc
  // Subnet IDs
  subnetIds []string
  // Lustre-specific configuration
  lustreConfiguration dict
  // S3 data repository associations
  dataRepositoryAssociations []dict
  // Region where the cache exists
  region string
}

// AWS FSx backup
private aws.fsx.backup @defaults("backupId type lifecycle") {
  // Backup ID
  backupId string
  // Backup ARN
  arn string
  // Backup type (USER_INITIATED, AUTOMATIC, AWS_BACKUP)
  type string
  // Lifecycle status
  lifecycle string
  // Associated file system ID
  fileSystemId string
  // File system type
  fileSystemType string
  // KMS key ID used for encryption
  // Deprecated: use kmsKey() instead
  kmsKeyId string
  // KMS key used for encryption
  kmsKey() aws.kms.key
  // Creation timestamp
  createdAt time
  // Region where the backup exists
  region string
  // Resource tags
  tags map[string]string
}

// AWS FSx volume (ONTAP or OpenZFS)
private aws.fsx.volume @defaults("id name lifecycle region") {
  // Volume ID
  id string
  // Volume ARN
  arn string
  // Volume name
  name string
  // Associated file system ID
  fileSystemId string
  // Volume type (ONTAP or OPENZFS)
  volumeType string
  // Lifecycle status (AVAILABLE, CREATING, DELETING, FAILED, MISCONFIGURED, PENDING)
  lifecycle string
  // Storage virtual machine ID (ONTAP only)
  storageVirtualMachineId string
  // Creation timestamp
  createdAt time
  // Resource tags
  tags map[string]string
  // Region where the volume exists
  region string
  // ONTAP volume size in megabytes
  ontapSizeInMegabytes int
  // ONTAP junction path for NAS mount
  ontapJunctionPath string
  // ONTAP security style (UNIX, NTFS, MIXED)
  ontapSecurityStyle string
  // Whether ONTAP storage efficiency is enabled
  ontapStorageEfficiency bool
  // ONTAP snapshot policy
  ontapSnapshotPolicy string
  // Whether ONTAP copies tags to backups
  ontapCopyTagsToBackups bool
  // ONTAP volume style (FLEXVOL or FLEXGROUP)
  ontapVolumeStyle string
  // OpenZFS volume path
  openzfsVolumePath string
  // OpenZFS parent volume ID
  openzfsParentVolumeId string
  // Whether OpenZFS volume is read-only
  openzfsReadOnly bool
  // OpenZFS record size in KiB
  openzfsRecordSizeKiB int
  // OpenZFS storage capacity quota in GiB
  openzfsStorageCapacityQuotaGiB int
  // OpenZFS storage capacity reservation in GiB
  openzfsStorageCapacityReservationGiB int
  // OpenZFS data compression type (NONE, ZSTD, LZ4)
  openzfsDataCompressionType string
  // Whether OpenZFS copies tags to snapshots
  openzfsCopyTagsToSnapshots bool
}

// AWS Key Management Service (KMS)
aws.kms @defaults("keys") {
  // A list of all customer master keys (CMKs) in the caller's AWS account (across all regions)
  keys() []aws.kms.key
}

// AWS Key Management Service (KMS) key
private aws.kms.key @defaults("id region aliases metadata.Description") {
  // Unique identifier for the key
  id string
  // ARN of the key
  arn string
  // Region the key lives in
  region string
  // Whether key rotation is enabled
  keyRotationEnabled() bool
  // Metadata for the key
  metadata() dict
  // Tags for the KMS key
  tags() map[string]string
  // Aliases for the KMS key
  aliases() []string
  // Current state of the key: Creating, Enabled, Disabled, PendingDeletion, PendingImport, PendingReplicaDeletion, Unavailable, or Updating
  keyState() string
  // When the key was created
  createdAt() time
  // Scheduled deletion date for the key
  deletedAt() time
  // Whether the key is enabled
  enabled() bool
  // Description of the key
  description() string
  // Grants for the key
  grants() []aws.kms.grant
  // Whether the key is managed by AWS or the customer (AWS or CUSTOMER)
  keyManager() string
  // Key policy document in JSON format
  policy() string
}

// AWS KMS key grant
private aws.kms.grant @defaults("grantId granteePrincipal") {
  // Unique identifier for the grant
  grantId string
  // ARN of the KMS key
  keyArn string
  // Principal that receives the grant's permissions
  granteePrincipal string
  // Principal that can retire the grant
  retiringPrincipal string
  // AWS account under which the grant was issued
  issuingAccount string
  // List of operations permitted by the grant
  operations []string
  // When the grant was created
  createdAt time
}


// AWS service to create and manage permissions for users and groups
aws.iam {
  // List of IAM users in the account
  users() []aws.iam.user
  // List of IAM roles in the account
  roles() []aws.iam.role
  // List of IAM groups in the account
  groups() []aws.iam.group
  // List of IAM policies in the account
  policies() []aws.iam.policy
  // List of IAM policies attached to a user, role, or group
  attachedPolicies() []aws.iam.policy
  // IAM credential report
  credentialReport() []aws.iam.usercredentialreportentry
  // IAM account password policy for the account
  accountPasswordPolicy() dict
  // IAM account summary
  accountSummary() map[string]int
  // List of virtual mfs devices associated with the account
  virtualMfaDevices() []aws.iam.virtualmfadevice
  // List of server certificates stored in IAM
  serverCertificates() []dict
  // List of IAM instance profiles in the account
  instanceProfiles() []aws.iam.instanceProfile
  // List of SAML 2.0 identity providers configured in IAM
  samlProviders() []aws.iam.samlProvider
  // List of OpenID Connect (OIDC) identity providers configured in IAM
  oidcProviders() []aws.iam.oidcProvider
}

// Entry in AWS IAM credential report
private aws.iam.usercredentialreportentry @defaults("arn") {
  init(properties map[string]string)
  // Properties on the IAM user credential report
  properties map[string]string

  // ARN for the credential report
  arn() string

  // Whether the access key is active
  accessKey1Active() bool
  // Time when key was last rotated
  accessKey1LastRotated() time
  // Time when key was last used
  accessKey1LastUsedDate() time
  // Region in which the key was last used
  accessKey1LastUsedRegion() string
  // Service that last used the key
  accessKey1LastUsedService() string

  // Whether the access key is active
  accessKey2Active() bool
  // Time when key was last rotated
  accessKey2LastRotated() time
  // Time when key was last used
  accessKey2LastUsedDate() time
  // Region in which the key was last used
  accessKey2LastUsedRegion() string
  // Service that last used the key
  accessKey2LastUsedService() string

  // Whether the cert is active
  cert1Active() bool
  // Time when the cert was last rotated
  cert1LastRotated() time

  // Whether the cert is active
  cert2Active() bool
  // Time when the cert was last rotated
  cert2LastRotated() time

  // Whether MFA is active in the account
  mfaActive() bool
  // Whether passwords are enabled
  passwordEnabled() bool
  // Time when the password was last changed
  passwordLastChanged() time
  // Time when the password was last used
  passwordLastUsed() time
  // Next time when the password should rotate
  passwordNextRotation() time

  // IAM user
  user() aws.iam.user
  // Time when user was created
  createdAt() time
}

// AWS IAM user
private aws.iam.user @defaults("arn name createdAt") {
  // ARN of the IAM user
  arn string
  // ID of the IAM user
  id string
  // Name of the user
  name string
  // Time when user was created
  createdAt time
  // Time when password was last used
  passwordLastUsed time
  // Tags for the IAM user
  tags map[string]string
  // List of inline policies attached to the user
  policies() []string
  // List of managed policies attached to the user
  attachedPolicies() []aws.iam.policy
  // List of group ARNs that the user belongs to
  groups() []string
  // List of access keys metadata associated with the user
  accessKeys() []dict
  // Login profile for the user
  loginProfile() aws.iam.loginProfile
  // Path to the user
  path string
}

// AWS IAM instance profile
private aws.iam.instanceProfile @defaults("instanceProfileId instanceProfileName") {
  // ARN of the instance profile
  arn string
  // Time when the instance profile was created
  createdAt time
  // ID of the IAM instance profile
  instanceProfileId string
  // Name of the instance profile
  instanceProfileName string
  // Tags for the instance profile
  tags map[string]string
  // Role attached to the instanceProfile
  iamRoles() []aws.iam.role
}

// AWS IAM login profile for a user
private aws.iam.loginProfile @defaults("createdAt") {
  // Time when the login profile was created
  createdAt time
  // Whether the user is required to set a new password on next sign-in
  passwordResetRequired bool
}

// AWS IAM policy
private aws.iam.policy @defaults("arn name") {
  // ARN of the policy
  arn string
  // ID of the policy
  policyId() string
  // Name of the policy
  name() string
  // Description of the policy
  description() string
  // Whether the policy can be attached
  isAttachable() bool
  // Number of principal entities (users, groups, and roles) that the policy is attached to
  attachmentCount() int
  // Time when the policy was created
  createdAt() time
  // Time when the policy was updated
  updatedAt() time
  // Scope of the policy
  scope() string
  // List of versions for the policy
  versions() []aws.iam.policyversion
  // Default version of the policy
  defaultVersion() aws.iam.policyversion

  // List of users attached to the policy
  attachedUsers() []aws.iam.user
  // List of roles attached to the policy
  attachedRoles() []aws.iam.role
  // List of groups attached to the policy
  attachedGroups() []aws.iam.group
}

// AWS IAM policy version
private aws.iam.policyversion @defaults("arn isDefaultVersion createdAt") {
  // ARN of the policy version
  arn string
  // Version ID
  versionId string
  // Whether this version is the policy default version
  isDefaultVersion bool
  // JSON statements for this policy version
  document() dict
  // Time when this policy version was created
  createdAt time
}

// AWS IAM role
private aws.iam.role @defaults("arn name") {
  // ARN of the role
  arn string
  // ID of the role
  id string
  // Name of the role
  name string
  // Description of the role
  description string
  // Tags associated with the role
  tags map[string]string
  // Time when the role was created
  createdAt time
  // Policy document that grants an entity permission to assume the role
  assumeRolePolicyDocument dict
  // Time when the role was last used to make an AWS request
  lastUsedAt time
  // Region in which the role was last used
  lastUsedRegion string
  // Maximum session duration in seconds for the role (3600-43200)
  maxSessionDuration int
  // ARN of the permissions boundary policy attached to the role (empty string if none)
  permissionsBoundaryArn string
  // Path to the role
  path string
}

// AWS IAM group
private aws.iam.group @defaults("arn name") {
  // ARN of the group
  arn string
  // ID of the group
  id string
  // Name of the group
  name string
  // Time when the group was created
  createdAt time
  // List of usernames that belong to the group
  usernames []string
  // List of inline policy names attached to the group
  inlinePolicies() []string
  // Path to the group
  path string
}

// AWS IAM virtual MFA device
private aws.iam.virtualmfadevice @defaults("serialNumber") {
  // Serial number for the MFA device
  serialNumber string
  // Time when the MFA device was enabled
  enableDate time
  // User associated with the MFA device
  user() aws.iam.user
}

// AWS IAM SAML 2.0 identity provider
private aws.iam.samlProvider @defaults("arn name") {
  // ARN of the SAML provider
  arn string
  // Name of the SAML provider
  name() string
  // Time when the SAML provider was created
  createdAt() time
  // SAML metadata document expiration time
  validUntil() time
  // SAML metadata document in XML format
  metadataDocument() string
  // Tags associated with the SAML provider
  tags() map[string]string
}

// AWS IAM OpenID Connect (OIDC) identity provider
private aws.iam.oidcProvider @defaults("arn url") {
  // ARN of the OIDC provider
  arn string
  // URL of the identity provider
  url() string
  // List of client IDs (audiences) for the OIDC provider
  clientIds() []string
  // List of server certificate thumbprints for the OIDC provider
  thumbprints() []string
  // Time when the OIDC provider was created
  createdAt() time
  // Tags associated with the OIDC provider
  tags() map[string]string
}

// AWS IAM Access Analyzer resource (for assessing the configuration of AWS IAM Access Analyzer)
aws.iam.accessAnalyzer @defaults("analyzers") {
  // List of `aws.iam.accessanalyzer.analyzer` objects for all AWS IAM Access Analyzers configured within the account
  analyzers() []aws.iam.accessanalyzer.analyzer
  // List of all active findings for all analyzers and regions
  findings() []aws.iam.accessanalyzer.finding
  // List of all archived findings for all analyzers and regions
  archivedFindings() []aws.iam.accessanalyzer.finding
}

// AWS IAM Access Analyzer resource (provides an object representing an individual AWS IAM Access Analyzer configuration)
private aws.iam.accessanalyzer.analyzer @defaults("name type region status") {
  // ARN for the analyzer
  arn string
  // Name for the analyzer
  name string
  // Status of the analyzer: ACTIVE, CREATING, DISABLED, or FAILED
  status string
  // Type of analyzer: ACCOUNT, ORGANIZATION, ACCOUNT_UNUSED_ACCESS, ORGANIZATION_UNUSED_ACCESS, ACCOUNT_INTERNAL_ACCESS, or ORGANIZATION_INTERNAL_ACCESS
  type string
  // Region where the analyzer exists
  region string
  // Tags for the analyzer
  tags map[string]string
  // Name of the last resource that was analyzed
  lastResourceAnalyzed string
  // Last scan timestamp
  lastResourceAnalyzedAt time
  // Creation timestamp
  createdAt time
}

// AWS IAM Access Analyzer finding
private aws.iam.accessanalyzer.finding @defaults("resourceType region type status") {
  // Finding id
  id string
  // Error message
  error string
  // Resource
  resourceArn string
  // Resource owner
  resourceOwnerAccount string
  // Resource type
  resourceType string
  // Finding type
  type string
  // Finding status
  status string
  // Time the finding was generated
  analyzedAt time
  // Creation timestamp
  createdAt time
  // Creation timestamp
  updatedAt time
  // Region where the finding exists
  region string
  // Analyzer ARN
  analyzerArn string
}

// AWS SageMaker
aws.sagemaker {
  // List of SageMaker endpoints
  endpoints() []aws.sagemaker.endpoint
  // List of SageMaker notebook instances
  notebookInstances() []aws.sagemaker.notebookinstance
  // List of SageMaker models
  models() []aws.sagemaker.model
  // List of SageMaker training jobs
  trainingJobs() []aws.sagemaker.trainingjob
  // List of SageMaker processing jobs
  processingJobs() []aws.sagemaker.processingjob
  // List of SageMaker pipelines
  pipelines() []aws.sagemaker.pipeline
  // List of SageMaker domains
  domains() []aws.sagemaker.domain
}

// AWS SageMaker notebook instance
private aws.sagemaker.notebookinstance @defaults("arn name") {
  // ARN for the notebook instance
  arn string
  // Name of the notebook instance
  name string
  // Details about the notebook
  details() aws.sagemaker.notebookinstancedetails
  // Region where the notebook instance exists
  region string
  // Tags for the notebook instance
  tags() map[string]string
  // Time when the notebook instance was created
  createdAt time
  // Time when the notebook instance was last modified
  lastModifiedAt time
  // Status of the notebook instance: Pending, InService, Stopping, Stopped, Failed, Deleting, or Updating
  status string
  // URL to connect to the Jupyter notebook
  url string
}

// AWS SageMaker notebook instance details
private aws.sagemaker.notebookinstancedetails @defaults("arn") {
  // ARN for the notebook instance
  arn string
  // KMS key used to encrypt data
  kmsKey() aws.kms.key
  // Whether SageMaker provides internet access to the instance
  directInternetAccess bool
  // Whether root access is enabled for users of the notebook instance
  rootAccess bool
  // Minimum IMDS version the notebook instance supports (1 or 2)
  minimumInstanceMetadataServiceVersion string
  // VPC subnet the notebook instance is deployed in
  subnet() aws.vpc.subnet
}

// AWS SageMaker endpoint
private aws.sagemaker.endpoint @defaults("arn name") {
  // ARN for the endpoint
  arn string
  // Name of the endpoint
  name string
  // Configuration information for the endpoint
  config() dict
  // Region where the endpoint exists
  region string
  // Tags for the endpoint
  tags() map[string]string
  // Time when the endpoint was created
  createdAt time
  // Time when the endpoint was last modified
  lastModifiedAt time
  // Status of the endpoint: OutOfService, Creating, Updating, SystemUpdating, RollingBack, InService, Deleting, or Failed
  status string
}

// AWS SageMaker model
private aws.sagemaker.model @defaults("arn name") {
  // ARN for the model
  arn string
  // Name of the model
  name string
  // Region where the model exists
  region string
  // Time when the model was created
  createdAt time
  // Tags for the model
  tags() map[string]string
  // Whether network isolation is enabled for the model
  enableNetworkIsolation() bool
  // IAM execution role for the model
  iamRole() aws.iam.role
  // Primary container definition
  primaryContainer() dict
  // VPC configuration
  vpcConfig() dict
}

// AWS SageMaker training job
private aws.sagemaker.trainingjob @defaults("arn name status") {
  // ARN for the training job
  arn string
  // Name of the training job
  name string
  // Region where the training job exists
  region string
  // Status: InProgress, Completed, Failed, Stopping, Stopped
  status string
  // Time when the training job was created
  createdAt time
  // Time when the training job was last modified
  lastModifiedAt time
  // Time when the training job ended
  trainingEndTime time
  // Tags for the training job
  tags() map[string]string
  // IAM role for the training job
  iamRole() aws.iam.role
  // Algorithm specification
  algorithmSpecification() dict
  // Hyperparameters for the training job
  hyperParameters() map[string]string
  // Whether network isolation is enabled
  enableNetworkIsolation() bool
  // Whether inter-container traffic encryption is enabled
  enableInterContainerTrafficEncryption() bool
  // Failure reason if the job failed
  failureReason() string
  // Billable time in seconds
  billableTimeInSeconds() int
  // VPC configuration
  vpcConfig() dict
  // Output data configuration
  outputDataConfig() dict
  // Resource configuration (instanceType, instanceCount, volumeSizeInGB)
  resourceConfig() dict
  // Stopping condition
  stoppingCondition() dict
}

// AWS SageMaker processing job
private aws.sagemaker.processingjob @defaults("arn name status") {
  // ARN for the processing job
  arn string
  // Name of the processing job
  name string
  // Region where the processing job exists
  region string
  // Status: InProgress, Completed, Failed, Stopping, Stopped
  status string
  // Time when the processing job was created
  createdAt time
  // Time when the processing job was last modified
  lastModifiedAt time
  // Time when the processing job completed
  processingEndTime time
  // Failure reason if the job failed
  failureReason string
  // Exit message from the processing container
  exitMessage string
  // Tags for the processing job
  tags() map[string]string
  // IAM role for the processing job
  iamRole() aws.iam.role
  // Whether network isolation is enabled
  enableNetworkIsolation() bool
  // Whether inter-container traffic encryption is enabled
  enableInterContainerTrafficEncryption() bool
  // VPC configuration
  vpcConfig() dict
  // Processing resources configuration
  processingResources() dict
  // Environment variables
  environment() map[string]string
}

// AWS SageMaker pipeline
private aws.sagemaker.pipeline @defaults("arn name") {
  // ARN for the pipeline
  arn string
  // Name of the pipeline
  name string
  // Display name of the pipeline
  displayName string
  // Description of the pipeline
  description string
  // Region where the pipeline exists
  region string
  // Time when the pipeline was created
  createdAt time
  // Time when the pipeline was last modified
  lastModifiedAt time
  // Time of the last pipeline execution
  lastExecutionTime time
  // Tags for the pipeline
  tags() map[string]string
  // IAM role the pipeline uses for execution
  iamRole() aws.iam.role
  // Status of the pipeline: Active or Deleting
  pipelineStatus() string
  // Pipeline definition (JSON string)
  definition() string
  // Maximum parallelism for pipeline steps
  parallelismConfiguration() dict
}

// AWS SageMaker domain
private aws.sagemaker.domain @defaults("arn name status") {
  // ARN for the domain
  arn string
  // Domain ID
  domainId string
  // Domain name
  name string
  // Region where the domain exists
  region string
  // Status: Deleting, Failed, InService, Pending, Updating, Update_Failed, Delete_Failed
  status string
  // URL of the domain
  url string
  // Time when the domain was created
  createdAt time
  // Time when the domain was last modified
  lastModifiedAt time
  // Tags for the domain
  tags() map[string]string
  // Authentication mode: SSO or IAM
  authMode() string
  // App network access type: PublicInternetOnly or VpcOnly
  appNetworkAccessType() string
  // VPC the domain uses for communication
  vpc() aws.vpc
  // KMS key used to encrypt the EFS volume
  kmsKey() aws.kms.key
  // Home EFS file system ID
  homeEfsFileSystemId() string
  // Default user settings
  defaultUserSettings() dict
}

// AWS Simple Notification Service (SNS)
aws.sns {
  // List of SNS topics
  topics() []aws.sns.topic
}

// AWS Simple Notification Service (SNS) topic
private aws.sns.topic @defaults("arn") {
  // SNS topic ARN
  arn string
  // Region where the SNS topic exists
  region string
  // List of subscriptions associated with the topic ARN
  subscriptions() []aws.sns.subscription
  // Attributes for the SNS topic, including KMS ID if any
  attributes() dict
  // Tags for the topic
  tags() map[string]string
  // Signature version used for Amazon SNS message signing (1 or 2)
  signatureVersion() string
  // KMS master key used for server-side encryption
  kmsMasterKey() aws.kms.key
}

// AWS Simple Notification Service (SNS) subscription
private aws.sns.subscription @defaults("arn") {
  // ARN of the subscription
  arn string
  // Protocol value for the subscription (http, https, email, email-json, sqs, lambda, application, sms, firehose)
  protocol string
  // Subscription endpoint (URL, email, queue ARN, Lambda ARN, etc.)
  endpoint string
  // AWS account ID of the subscription owner
  owner string
  // Topic the subscription belongs to
  topic() aws.sns.topic
  // Region of the subscription
  region string
  // All subscription attributes
  attributes() dict
  // Whether raw message delivery is enabled (no SNS metadata wrapper)
  rawMessageDelivery() bool
  // Filter policy for message filtering
  filterPolicy() dict
  // Scope of the filter policy: MessageAttributes or MessageBody
  filterPolicyScope() string
  // Dead-letter queue configuration
  redrivePolicy() dict
  // Whether the subscription confirmation was authenticated
  confirmationWasAuthenticated() bool
  // Delivery policy for retries
  deliveryPolicy() dict
  // Whether the subscription is confirmed
  pendingConfirmation() bool
}

// AWS Elasticsearch service
aws.es {
  // List of Elasticsearch domains
  domains() []aws.es.domain
}

// Amazon Elasticsearch service domain
private aws.es.domain @defaults("arn name") {
  // ARN for the Elasticsearch domain
  arn string
  // Whether encryption at rest is enabled
  encryptionAtRestEnabled bool
  // Whether node-to-node encryption is enabled
  nodeToNodeEncryptionEnabled bool
  // Name of the Elasticsearch domain
  name string
  // Endpoint used to submit index and search requests
  endpoint string
  // Region where the domain exists
  region string
  // Tags for the domain
  tags map[string]string
  // Version of Elasticsearch running
  elasticsearchVersion string
  // Elasticsearch domain ID
  domainId string
  // Elasticsearch domain name
  domainName string
  // Whether HTTPS is required for all traffic to the domain
  enforceHTTPS bool
  // TLS security policy for the domain
  tlsSecurityPolicy string
  // Whether audit logging is enabled for the domain
  auditLogEnabled bool
}

// Amazon OpenSearch Service
aws.opensearch @defaults("domains") {
  // List of OpenSearch domains
  domains() []aws.opensearch.domain
}

// Amazon OpenSearch Service domain
private aws.opensearch.domain @defaults("name engineVersion") {
  // ARN for the OpenSearch domain
  arn string
  // Name of the domain
  name string
  // Domain ID
  domainId string
  // Region where the domain exists
  region string
  // OpenSearch or Elasticsearch engine version
  engineVersion string
  // Connection endpoint for the domain
  endpoint string
  // Whether encryption at rest is enabled
  encryptionAtRestEnabled bool
  // KMS key ID for encryption at rest
  // Deprecated: use encryptionAtRestKmsKey() instead
  encryptionAtRestKmsKeyId string
  // KMS key used for encryption at rest
  encryptionAtRestKmsKey() aws.kms.key
  // Whether node-to-node encryption is enabled
  nodeToNodeEncryptionEnabled bool
  // Whether the domain is created with a dedicated master node
  dedicatedMasterEnabled bool
  // Instance type of the dedicated master nodes
  dedicatedMasterType string
  // Number of dedicated master nodes
  dedicatedMasterCount int
  // Instance type of data nodes
  instanceType string
  // Number of data nodes
  instanceCount int
  // Whether zone awareness is enabled
  zoneAwarenessEnabled bool
  // Number of availability zones
  availabilityZoneCount int
  // Whether warm storage is enabled
  warmEnabled bool
  // Warm instance type
  warmType string
  // Number of warm nodes
  warmCount int
  // Whether cold storage is enabled
  coldStorageEnabled bool
  // EBS storage enabled
  ebsEnabled bool
  // EBS volume type
  ebsVolumeType string
  // EBS volume size in GB
  ebsVolumeSize int
  // EBS IOPS
  ebsIops int
  // EBS throughput
  ebsThroughput int
  // VPC ID if domain is in a VPC
  // Deprecated: use vpc() instead
  vpcId string
  // VPC associated with the domain
  vpc() aws.vpc
  // Whether HTTPS is required
  enforceHTTPS bool
  // TLS security policy
  tlsSecurityPolicy string
  // Whether SAML is enabled
  samlEnabled bool
  // Whether anonymous auth is enabled
  anonymousAuthEnabled bool
  // Whether internal user database is enabled
  internalUserDatabaseEnabled bool
  // Whether fine-grained access control is enabled
  advancedSecurityEnabled bool
  // Domain processing status
  processing bool
  // Domain upgrade processing status
  upgradeProcessing bool
  // Created timestamp
  createdAt time
  // Whether auto-tune is enabled
  autoTuneState string
  // Whether audit logging is enabled for the domain
  auditLogEnabled bool
  // IP address type for the domain (ipv4 or dualstack)
  ipAddressType string
  // New service software version available for the domain (empty string if up to date)
  serviceSoftwareNewVersion string
  // Whether automatic software updates are enabled
  autoSoftwareUpdateEnabled bool
  // Whether the off-peak maintenance window is enabled
  offPeakWindowEnabled bool
  // Tags for the domain
  tags() map[string]string
  // Security groups associated with the VPC domain
  securityGroups() []aws.ec2.securitygroup
  // Subnets for the VPC domain
  subnets() []aws.vpc.subnet
}

// AWS Certificate Manager resource (for assessing the configuration of AWS Certificate Manager)
aws.acm @defaults("certificates") {
  // List of `aws.acm.certificate` objects representing ACM certificates configured within the account
  certificates() []aws.acm.certificate
}

// AWS Certificate Manager Certificate resource (provides an object representing an individual ACM certificate)
private aws.acm.certificate @defaults("domainName issuer createdAt notAfter") {
  // ARN for the certificate
  arn string
  // Time before which the certificate is not valid
  notBefore time
  // Time after which the certificate is not valid
  notAfter time
  // Time when the cert was requested
  createdAt time
  // FQDN for the certificate
  domainName string
  // Status of the certificate: issued, expired, revoked, and so on
  status string
  // Name of the entity associated with the public key in the certificate
  subject string
  // Retrieves an Amazon-issued certificate and its certificate chain
  certificate() network.certificate
  // Tags associated with the certificate
  tags map[string]string
  // Algorithm used to generate the public-private key pair
  keyAlgorithm string
  // Serial number of the certificate
  serial string
  // Source of the certificate: AMAZON_ISSUED or IMPORTED
  source string
  // Name of the certificate authority that issued and signed the certificate
  issuer string
  // Time at which the certificate was issued (exists only when the certificate source is AMAZON_ISSUED)
  issuedAt time
  // Date and time when the certificate was imported (exists only when the certificate source is IMPORTED)
  importedAt time
  // Whether the certificate is eligible for renewal
  renewalEligible bool
  // Algorithm used to sign the certificate
  signatureAlgorithm string
}

// AWS Auto Scaling
aws.autoscaling @defaults("groups") {
  // List of autoscaling groups across the account
  groups() []aws.autoscaling.group
}

// AWS Auto Scaling group
private aws.autoscaling.group @defaults("name region minSize maxSize") {
  // ARN for the autoscaling group
  arn string
  // Name of the group
  name string
  // List of load balancer names associated with the group
  loadBalancerNames []string
  // Health check type used by the group: ELB or EC2
  healthCheckType string
  // Tags for the asg
  tags map[string]string
  // Full tag properties
  tagSpecifications []aws.autoscaling.group.tag
  // Region of the Auto Scaling group
  region string
  // Minimum number of instances to scale down to
  minSize int
  // Maximum number of instances to scale up to
  maxSize int
  // Time to wait after scaling up or down before starting the next scaling event
  defaultCooldown int
  // Launch configuration name
  launchConfigurationName string
  // Grace period in seconds before an instance with a failing health check is replaced
  healthCheckGracePeriod int
  // Time when the autoscaling group was created
  createdAt time
  // Maximum amount of time, in seconds, that an instance can be in service
  maxInstanceLifetime int
  // Desired size of the group
  desiredCapacity int
  // List of availability zones associated with the group
  availabilityZones []string
  // Whether Capacity Rebalancing is enabled
  capacityRebalance bool
  // Duration of the default instance warmup, in seconds
  defaultInstanceWarmup int
  // EC2 instances associated with the group
  instances() []aws.ec2.instance
  // Unit of measurement for desired capacity (attribute-based instance type selection)
  desiredCapacityType string
  // Current size of the warm pool
  warmPoolSize int
  // Predicted capacity from predictive scaling
  predictedCapacity int
  // Name of the placement group for launched instances
  placementGroup string
  // Whether newly launched instances are protected from scale-in termination
  newInstancesProtectedFromScaleIn bool
  // Target groups associated with the group
  targetGroups() []aws.elb.targetgroup
}

// AWS Auto Scaling group tag
private aws.autoscaling.group.tag @defaults("key value propagateAtLaunch") {
  // Tag key
  key string
  // Tag value
  value string
  // Whether the tag propagates to instances launched by the ASG
  propagateAtLaunch bool
  // Resource ID (ASG name)
  resourceId string
  // Resource type (always "auto-scaling-group")
  resourceType string
}

// AWS Elastic Load Balancing
aws.elb {
  // List of classic load balancers
  classicLoadBalancers() []aws.elb.loadbalancer
  // List of application, gateway, and network load balancers (elbv2)
  loadBalancers() []aws.elb.loadbalancer
}

// AWS Elastic Load Balancer (ELB) Target Group
private aws.elb.targetgroup @defaults("name port ec2Targets lambdaTargets") {
  // Name for the load balancer target group
  name string
  // ARN for the load balancer target group
  arn string
  // Port for the load balancer target group
  port int
  // Protocol for the load balancer target group
  protocol string
  // Protocol version for the load balancer target group
  protocolVersion string
  // IP address type for the load balancer target group (IPv4, IPv6)
  ipAddressType string
  // Whether health check is enabled for the load balancer target group
  healthCheckEnabled bool
  // Health check interval for the load balancer target group
  healthCheckIntervalSeconds int
  // Health check path for the load balancer target group
  healthCheckPath string
  // Health check port for the load balancer target group
  healthCheckPort string
  // Health check protocol for the load balancer target group
  healthCheckProtocol string
  // Health check timeout seconds for the load balancer target group
  healthCheckTimeoutSeconds int
  // Target type for the for the load balancer target group (instance, IP, Lambda, ALB)
  targetType string
  // Unhealthy threshold count for the load balancer target group
  unhealthyThresholdCount int
  // Healthy threshold count for the load balancer target group
  healthyThresholdCount int
  // Attributes for the load balancer target group
  attributes() aws.elb.targetgroup.attributes
  // VPC for the load balancer target group
  vpc() aws.vpc
  // EC2 targets for the load balancer target group
  ec2Targets() []aws.ec2.instance
  // Lambda targets for the load balancer target group
  lambdaTargets() []aws.lambda.function
  // Region where the target group exists
  region string
}

// AWS ELB target group attributes
private aws.elb.targetgroup.attributes {
  // Target group ARN this attributes resource belongs to
  targetGroupArn string
  // Deregistration delay timeout in seconds
  deregistrationDelayTimeoutSeconds int
  // Whether stickiness is enabled
  stickinessEnabled bool
  // Stickiness type (lb_cookie, app_cookie, source_ip, source_ip_dest_ip, source_ip_dest_ip_proto)
  stickinessType string
  // Load balancing algorithm type (round_robin, least_outstanding_requests, weighted_random)
  loadBalancingAlgorithmType string
  // Whether anomaly mitigation is enabled (on, off). Only for weighted_random algorithm
  loadBalancingAlgorithmAnomalyMitigation string
  // Slow start duration in seconds (0 = disabled). ALB with instance/IP targets only
  slowStartDurationSeconds int
  // Whether cross-zone load balancing is enabled (true, false, use_load_balancer_configuration)
  crossZoneEnabled string
  // Whether Proxy Protocol v2 is enabled. NLB only
  proxyProtocolV2Enabled bool
  // Whether client IP preservation is enabled. NLB only
  preserveClientIpEnabled bool
  // Whether connection termination on deregistration is enabled. NLB only
  connectionTerminationOnDeregistrationEnabled bool
  // Whether connection termination on unhealthy targets is enabled. NLB only
  connectionTerminationOnUnhealthyEnabled bool
  // Whether Lambda multi-value headers are enabled. ALB with Lambda targets only
  lambdaMultiValueHeadersEnabled bool
  // Target failover behavior on deregistration (rebalance, no_rebalance). GLB only
  targetFailoverOnDeregistration string
  // Target failover behavior on unhealthy (rebalance, no_rebalance). GLB only
  targetFailoverOnUnhealthy string
}

// AWS Elastic Load Balancing load balancer
private aws.elb.loadbalancer @defaults("name region elbType scheme dnsName") {
  // ARN for the load balancer
  arn string
  // DNS name for the load balancer
  dnsName string
  // List of listener configurations for the load balancer
  listenerDescriptions() []dict
  // User-specified name for the load balancer
  name string
  // Scheme for the load balancer: internet-facing or internal
  scheme string
  // A list of attributes for the load balancer
  attributes() []dict
  // Date and time the load balancer was created
  createdAt time
  // Availability zone where the load balancer runs
  availabilityZones []string
  // VPC security groups for the load balancer
  securityGroups []aws.ec2.securitygroup
  // ID of the Amazon Route 53 hosted zone associated with the load balancer
  hostedZoneId string
  // Region where the load balancer exists
  region string
  // Type of ELB. Possible values are `network`, `application`, `gateway`, or `classic`
  elbType string
  // IP address type for the load balancer (ipv4, dualstack, dualstack-without-public-ipv4)
  ipAddressType string
  // VPC where the load balancer is located
  vpc aws.vpc
  // Tags on the load balancer
  tags() map[string]string
  // List of target groups for the load balancer
  targetGroups() []aws.elb.targetgroup
  // List of EC2 instances registered with the load balancer (classic ELB only)
  instances() []aws.ec2.instance
  // List of listeners for ALB/NLB load balancers (typed)
  listeners() []aws.elb.listener
  // Typed attributes for ALB/NLB load balancers
  attribute() aws.elb.loadbalancer.attribute
}

// AWS ELB listener
private aws.elb.listener @defaults("arn port protocol") {
  // ARN for the listener
  arn string
  // ARN of the load balancer this listener belongs to
  loadBalancerArn string
  // Port on which the listener listens
  port int
  // Protocol for connections from clients to the load balancer (HTTP, HTTPS, TCP, TLS, UDP, TCP_UDP, GENEVE)
  protocol string
  // SSL policy for HTTPS/TLS listeners
  sslPolicy string
  // Default actions for the listener
  defaultActions []dict
  // Server certificates for the listener
  certificates []dict
  // ALPN policy for TLS listeners
  alpnPolicy []string
}

// AWS ELB load balancer attributes
private aws.elb.loadbalancer.attribute {
  // Load balancer ARN this attributes resource belongs to
  loadBalancerArn string
  // Whether deletion protection is enabled
  deletionProtectionEnabled bool
  // Whether cross-zone load balancing is enabled
  crossZoneEnabled string
  // Whether access logs are enabled
  accessLogsEnabled bool
  // S3 bucket for access logs
  accessLogsBucket string
  // S3 prefix for access logs
  accessLogsPrefix string
  // Idle timeout in seconds (ALB only)
  idleTimeoutSeconds int
  // HTTP desync mitigation mode (monitor, defensive, strictest). ALB only
  desyncMitigationMode string
  // Whether invalid header fields are dropped. ALB only
  dropInvalidHeaderFields bool
  // Whether Host header is preserved. ALB only
  preserveHostHeader bool
  // Whether HTTP/2 is enabled. ALB only
  http2Enabled bool
  // Whether WAF fail-open is enabled. ALB only
  wafFailOpenEnabled bool
  // Whether zonal shift is enabled
  zonalShiftEnabled bool
  // Whether connection logs are enabled. ALB only
  connectionLogsEnabled bool
  // S3 bucket for connection logs. ALB only
  connectionLogsBucket string
}

// AWS CodeBuild for building and testing code
aws.codebuild {
  // List of build projects
  projects() []aws.codebuild.project
}

// AWS CodeBuild project
private aws.codebuild.project @defaults("arn name") {
  // ARN for the project
  arn string
  // Description of the project
  description string
  // Name of the project
  name string
  // Build environment information about the project
  environment dict
  // Region where the project exists
  region string
  // Source used for the build project
  source dict
  // Tags for the project
  tags map[string]string
  // Date the project was created
  createdAt time
  // Date the project was last modified
  modifiedAt time
  // Whether the build environment has Docker privileged mode enabled
  privilegedMode bool
  // Visibility of the project's builds (PUBLIC_READ or PRIVATE)
  projectVisibility string
  // Build timeout in minutes
  timeoutInMinutes int
  // KMS key used to encrypt build output artifacts
  encryptionKey() aws.kms.key
  // IAM service role ARN used by the build project
  serviceRole string
  // Minutes a build is allowed to be queued before it times out
  queuedTimeoutInMinutes int
}

// Amazon GuardDuty for threat detection
aws.guardduty {
  // List of GuardDuty active findings
  findings() []aws.guardduty.finding
  // List of GuardDuty detectors
  detectors() []aws.guardduty.detector
}

// Amazon GuardDuty detector
private aws.guardduty.detector @defaults("id region") {
  // Unique ID for the detector
  id string
  // Region for the detector
  region string
  // Status of the detector: ENABLED or DISABLED
  status() string
  // Feature set for the detector
  features() []dict
  // Tags for the project
  tags() map[string]string
  // Publishing frequency for the detector
  findingPublishingFrequency() string
  // List of active findings by the detector
  findings() []aws.guardduty.finding
  // Time when the detector was created
  createdAt() time
  // Time when the detector was last updated
  updatedAt() time
}

// AWS Guard Duty finding
private aws.guardduty.finding @defaults("title region severity") {
  // Unique ID for the finding
  arn string
  // ID of the finding
  id string
  // Region where the finding was found
  region string
  // Title
  title string
  // Description
  description string
  // Severity of the finding
  severity float
  // Confidence level of the finding
  confidence float
  // Type of finding
  type string
  // Created at time
  createdAt time
  // Updated at time
  updatedAt time
}

// Amazon Macie
aws.macie {
  // List of Macie sessions
  sessions() []aws.macie.session
  // List of classification jobs
  classificationJobs() []aws.macie.classificationJob
  // List of findings
  findings() []aws.macie.finding
  // List of custom data identifiers
  customDataIdentifiers() []aws.macie.customDataIdentifier
}

// Amazon Macie session
private aws.macie.session @defaults("arn region status") {
  // ARN of the Macie session
  arn string
  // Region where Macie is enabled
  region string
  // Status of the Macie session: ENABLED or PAUSED
  status string
  // Date and time when the Macie session was created
  createdAt time
  // Date and time when the Macie session was last updated
  updatedAt time
  // Finding publishing frequency: FIFTEEN_MINUTES, ONE_HOUR, or SIX_HOURS
  findingPublishingFrequency() string
  // Service role ARN used by Macie
  serviceRole() string
  // Number of S3 buckets monitored by Macie
  s3BucketCount() int
}

// Amazon Macie classification job
private aws.macie.classificationJob @defaults("jobId name status region") {
  // ARN of the classification job
  arn string
  // Unique ID of the job
  jobId string
  // Name of the job
  name string
  // Region where the job runs
  region string
  // Status of the job: RUNNING, PAUSED, CANCELLED, COMPLETE, IDLE, or USER_PAUSED
  status string
  // Type of job: ONE_TIME or SCHEDULED
  jobType string
  // Date and time when the job was created
  createdAt time
  // Date and time when the job was last run
  lastRunTime() time
  // Sampling percentage for the job
  samplingPercentage() int
  // Bucket definitions for the job
  bucketDefinitions() []dict
  // Schedule frequency for the job
  scheduleFrequency() dict
  // Statistics for the job
  statistics() dict
  // Tags for the job
  tags() map[string]string
}

// Amazon Macie finding
private aws.macie.finding @defaults("id arn region type severity") {
  // Unique ID of the finding
  id string
  // ARN of the finding
  arn string
  // Region where the finding was discovered
  region string
  // Account ID where the finding was discovered
  accountId string
  // Type of the finding
  type string
  // Severity details of the finding
  severity dict
  // Category of the finding: CLASSIFICATION or POLICY
  category string
  // Whether the finding is archived
  archived bool
  // Count of occurrences for this finding
  count int
  // Date and time when the finding was created
  createdAt time
  // Date and time when the finding was last updated
  updatedAt time
  // Title of the finding
  title string
  // Description of the finding
  description string
  // Classification details for the finding
  classificationDetails() dict
  // Resources affected by the finding
  resourcesAffected() dict
}

// Amazon Macie custom data identifier
private aws.macie.customDataIdentifier @defaults("id name") {
  // Unique ID of the custom data identifier
  id string
  // ARN of the custom data identifier
  arn string
  // Name of the custom data identifier
  name string
  // Description of the custom data identifier
  description() string
  // Regular expression pattern for the identifier
  regex() string
  // Keywords for the identifier
  keywords() []string
  // Date and time when the identifier was created
  createdAt time
  // Tags for the identifier
  tags() map[string]string
}

// AWS Security Hub
aws.securityhub {
  // List of Security Hubs in the account
  hubs() []aws.securityhub.hub
}

// AWS Security Hub hub
private aws.securityhub.hub @defaults("arn region") {
  // ARN for the Security Hub
  arn string
  // Date and time when the hub was enabled
  subscribedAt string
  // Region where the Security Hub is enabled
  region string
}

// AWS Shield Advanced
aws.shield @defaults("subscriptionState") {
  // Whether Shield Advanced is active ("ACTIVE", "INACTIVE", or "UNKNOWN" if access is denied)
  subscriptionState() string
  // Shield Advanced subscription details
  subscription() aws.shield.subscription
  // List of Shield Advanced protections
  protections() []aws.shield.protection
  // List of Shield Advanced protection groups
  protectionGroups() []aws.shield.protectionGroup
  // DRT (Shield Response Team) access configuration
  drtAccess() aws.shield.drtAccess
  // Emergency contacts for proactive engagement
  emergencyContacts() []aws.shield.emergencyContact
}

// AWS Shield Advanced subscription
private aws.shield.subscription @defaults("arn startTime") {
  // ARN of the Shield subscription
  arn string
  // Start time of the subscription
  startTime time
  // End time of the subscription
  endTime time
  // Time period remaining in the subscription in days (truncated from seconds)
  timeCommitmentInDays int
  // Whether auto-renew is enabled (ENABLED or DISABLED)
  autoRenew string
  // Subscription limits
  limits []dict
  // Proactive engagement status (ENABLED, DISABLED, or PENDING)
  proactiveEngagementStatus string
}

// AWS Shield Advanced protection
private aws.shield.protection @defaults("arn name resourceArn") {
  // ID of the protection
  id string
  // ARN of the protection
  arn string
  // Name of the protection
  name string
  // ARN of the protected resource
  resourceArn string
  // Health check IDs associated with the protection
  healthCheckIds []string
  // Application layer automatic response configuration
  applicationLayerAutomaticResponseConfiguration dict
}

// AWS Shield Advanced protection group
private aws.shield.protectionGroup @defaults("id aggregation pattern") {
  // ID of the protection group
  id string
  // ARN of the protection group
  arn string
  // Aggregation type (SUM, MEAN, or MAX)
  aggregation string
  // Pattern used to select members (ALL, ARBITRARY, or BY_RESOURCE_TYPE)
  pattern string
  // Resource type criteria for BY_RESOURCE_TYPE pattern
  resourceType string
  // List of member resource ARNs (for ARBITRARY pattern)
  members []string
}

// AWS Shield Advanced DRT (Shield Response Team) access configuration
private aws.shield.drtAccess @defaults("iamRole") {
  // IAM role for the SRT to access the account
  iamRole() aws.iam.role
  // S3 log buckets the SRT can access
  logBucketList []string
}

// AWS Shield Advanced emergency contact
private aws.shield.emergencyContact @defaults("emailAddress") {
  // Email address for the contact
  emailAddress string
  // Phone number for the contact
  phoneNumber string
  // Additional notes regarding the contact
  contactNotes string
}

// AWS Secrets Manager
aws.secretsmanager {
  // List of secrets
  secrets() []aws.secretsmanager.secret
}

// AWS Secrets Manager secret
aws.secretsmanager.secret @defaults("arn name") {
  // ARN for the secret
  arn string
  // Creation date of the secret
  createdAt time
  // Description of the secret
  description string
  // KMS key used for encryption of the secret
  kmsKey() aws.kms.key
  // Last date the secret was accessed
  lastAccessedDate time
  // Last date the secret was changed
  lastChangedDate time
  // Last date the secret was automatically rotated
  lastRotatedDate time
  // Name of the secret
  name string
  // Date of the next secret rotation
  nextRotationDate time
  // AWS service that created this secret (e.g., RDS, Redshift)
  owningService string
  // Primary region of the secret
  primaryRegion string
  // Whether rotation is enabled for the secret
  rotationEnabled bool
  // Lambda function used for automatic rotation
  rotationLambda aws.lambda.function
  // Rotation schedule configuration
  rotationRules aws.secretsmanager.secret.rotationRules
  // Tags for the secret
  tags map[string]string
}

// AWS Secrets Manager secret rotation rules configuration
private aws.secretsmanager.secret.rotationRules {
  // Number of days between automatic scheduled rotations
  automaticallyAfterDays int
  // Length of the rotation window in hours (e.g., "3h")
  duration string
  // Cron or rate expression defining the rotation schedule (e.g., "rate(12 hours)")
  scheduleExpression string
}


// Amazon Elastic Container Service (ECS)
aws.ecs  @defaults("clusters containers containerInstances") {
  // List of AWS ECS Clusters
  clusters() []aws.ecs.cluster
  // List of AWS ECS Containers
  containers() []aws.ecs.container
  // List of AWS ECS Container Instances
  containerInstances() []aws.ecs.instance
  // List of AWS ECS Task Definitions
  taskDefinitions() []aws.ecs.taskDefinition
}

// Amazon ECS cluster
private aws.ecs.cluster @defaults("name region status runningTasksCount pendingTasksCount") {
  // ARN of the ECS cluster
  arn string
  // Name of the ECS cluster
  name string
  // Tags of the ECS cluster
  tags map[string]string
  // Count of running tasks in the cluster
  runningTasksCount int
  // Count of pending tasks in the cluster
  pendingTasksCount int
  // Count of container instances registered to the cluster
  registeredContainerInstancesCount int
  // Configuration for the cluster
  configuration dict
  // Cluster settings (e.g., Container Insights)
  settings map[string]string
  // Status of the cluster
  status string
  // List of AWS ECS task definitions
  tasks() []aws.ecs.task
  // List of AWS ECS container instances
  containerInstances() []aws.ecs.instance
  // List of AWS ECS services in the cluster
  services() []aws.ecs.service
  // Region where the cluster is located
  region string
  // Number of services running in the cluster
  activeServicesCount int
  // KMS key used to encrypt Fargate ephemeral storage
  fargateEphemeralStorageKmsKey() aws.kms.key
  // Capacity providers associated with the cluster
  capacityProviders []string
  // Default capacity provider strategy for the cluster
  defaultCapacityProviderStrategy() []aws.ecs.cluster.capacityProviderStrategyItem
  // Default Service Connect namespace name or ARN for the cluster
  serviceConnectNamespace string
  // Statistics for the cluster, broken down by launch type (e.g., runningEC2TasksCount, runningFargateTasksCount)
  statistics map[string]string
}

// Capacity provider strategy item for an ECS cluster
private aws.ecs.cluster.capacityProviderStrategyItem @defaults("capacityProvider base weight") {
  // Short name of the capacity provider
  capacityProvider string
  // Minimum number of tasks to run on this capacity provider
  base int
  // Relative percentage of total tasks that should use this capacity provider
  weight int
}

// AWS ECS container instance
private aws.ecs.instance {
  // Whether the agent is connected to ECS
  agentConnected bool
  // ID for the container instance
  id string
  // ARN for the container instance
  arn string
  // Capacity provider associated with the container instance
  capacityProvider string
  // If container instance is EC2 instance, this is the EC2 instance resource
  ec2Instance() aws.ec2.instance
  // Region for the container instance
  region string
}

// Amazon ECS task
private aws.ecs.task @defaults("lastStatus platformFamily platformVersion") {
  // ARN of the ECS task
  arn string
  // Cluster associated with the ECS task
  clusterName string
  // Connectivity status of the ECS task
  connectivity dict
  // Last reported status for the ECS task
  lastStatus string
  // Platform Family assigned to the ECS task
  platformFamily string
  // Platform Version assigned to the ECS task
  platformVersion string
  // User-defined tags associated with the ECS task
  tags map[string]string
  // Region where the ECS task exists
  region string
  // List of AWS ECS containers
  containers() []aws.ecs.container
}

// Amazon ECS container
private aws.ecs.container @defaults("containerName runtimeId clusterName region") {
  // Name of the ECS container + IP for unique identification
  name string
  // ARN of the ECS container
  arn string
  // Public IP address of the ECS container
  publicIp string
  // Image used for the ECS container
  image string
  // Cluster associated with the ECS container
  clusterName string
  // ARN for the task definition associated with the ECS container
  taskDefinitionArn string
  // logDriver setting for the ECS container
  logDriver string
  // Platform family associated with the ECS container
  platformFamily string
  // Platform version assigned to the ECS container
  platformVersion string
  // Status of the ECS container
  status string
  // Region where the ECS Container is located
  region string
  // Command used to start the container
  command []string
  // ARN for the task used to create the container
  taskArn string
  // Runtime ID for the container
  runtimeId string
  // Name of the ECS container
  containerName string
  // The number of CPU units set for the container. The value is 0 if no value was
  // specified in the container definition when the task definition was registered.
  cpuUnits string
  // The soft limit (in MiB) of memory set for the container.
  memorySoftLimit string
  // The hard limit (in MiB) of memory set for the container.
  memoryHardLimit string
  // Short (1024 characters max) description of the running or stopped container
  reason string
  // User to run as inside the container (from task definition)
  user string
  // Whether an init process is enabled inside the container (from task definition)
  initProcessEnabled bool
}

// Amazon ECS Task Definition
private aws.ecs.taskDefinition @defaults("arn family revision") {
  // ARN of the task definition
  arn string
  // Family name of the task definition
  family string
  // Revision number of the task definition
  revision int
  // Status of the task definition (ACTIVE, INACTIVE, DELETE_IN_PROGRESS)
  status string
  // Network mode for the task (bridge, host, awsvpc, none)
  networkMode string
  // Process namespace mode for the task (host, task)
  pidMode string
  // IPC resource namespace mode for the task (host, task, none)
  ipcMode string
  // ARN of the IAM role that containers in this task can assume
  taskRoleArn string
  // ARN of the IAM role that the Amazon ECS container agent can assume
  executionRoleArn string
  // List of container definitions in the task
  containerDefinitions() []aws.ecs.taskDefinition.containerDefinition
  // List of volumes configured for the task
  volumes() []aws.ecs.taskDefinition.volume
  // Ephemeral storage settings for the task
  ephemeralStorage() aws.ecs.taskDefinition.ephemeralStorage
  // Tags associated with the task definition
  tags() map[string]string
  // Region where the task definition is located
  region string
  // Total CPU units for the task (e.g., "256", "1024")
  cpu string
  // Total memory in MiB for the task (e.g., "512", "2048")
  memory string
  // When the task definition was registered
  registeredAt time
}

// Amazon ECS Service
private aws.ecs.service @defaults("arn name clusterArn status") {
  // ARN of the ECS service
  arn string
  // Name of the ECS service
  name string
  // ARN of the cluster the service belongs to
  clusterArn string
  // Status of the service
  status string
  // Desired number of tasks for the service
  desiredCount int
  // Number of running tasks for the service
  runningCount int
  // ARN of the task definition used by the service
  taskDefinition string
  // Launch type for the service (EC2, FARGATE, EXTERNAL, MANAGED_INSTANCES)
  launchType string
  // Deployment configuration for the service
  deploymentConfiguration() aws.ecs.service.deploymentConfiguration
  // Network configuration for the service
  networkConfiguration() aws.ecs.service.networkConfiguration
  // Tags associated with the service
  tags map[string]string
  // Creation timestamp of the service
  createdAt time
  // IAM principal that created the service
  createdBy string
  // Task sets associated with the service (for services using EXTERNAL or CODE_DEPLOY deployment controllers)
  taskSets() []aws.ecs.taskSet
  // Whether execute command functionality is enabled for the service
  enableExecuteCommand bool
  // Whether Amazon ECS managed tags are enabled for the service
  enableEcsManagedTags bool
  // Scheduling strategy for the service (REPLICA or DAEMON)
  schedulingStrategy string
  // Operating system family for the tasks in the service
  platformFamily string
  // Platform version for Fargate tasks
  platformVersion string
  // Grace period in seconds after a new task starts before health check failures count
  healthCheckGracePeriodSeconds int
}

// Amazon ECS Task Set
private aws.ecs.taskSet @defaults("arn status taskDefinition launchType") {
  // ARN of the task set
  arn string
  // ID of the task set
  id string
  // ARN of the cluster the task set belongs to
  clusterArn string
  // ARN of the service the task set belongs to
  serviceArn string
  // Status of the task set (PRIMARY, ACTIVE, DRAINING)
  status string
  // ARN of the task definition used by the task set
  taskDefinition string
  // Launch type for the task set (EC2, FARGATE, EXTERNAL, MANAGED_INSTANCES)
  launchType string
  // Fargate platform version for the task set
  platformVersion string
  // Fargate platform family for the task set
  platformFamily string
  // Network configuration for the task set
  networkConfiguration() aws.ecs.taskSet.networkConfiguration
  // Tags associated with the task set
  tags map[string]string
  // Creation timestamp of the task set
  createdAt time
  // Last updated timestamp of the task set
  updatedAt time
  // Number of running tasks in the task set
  runningCount int
  // Number of pending tasks in the task set
  pendingCount int
  // Computed desired count for the task set
  computedDesiredCount int
  // Stability status of the task set (STEADY_STATE, STABILIZING)
  stabilityStatus string
  // External ID associated with the task set
  externalId string
  // Tag that identifies what started the task set (e.g., CODE_DEPLOY)
  startedBy string
}

// Amazon ECS Task Set Network Configuration
private aws.ecs.taskSet.networkConfiguration {
  // Whether to assign a public IP address (ENABLED, DISABLED)
  assignPublicIp string
  // Subnets associated with the task set
  subnets []string
  // Security groups associated with the task set
  securityGroups []string
}

// Amazon ECS Service Deployment Configuration
private aws.ecs.service.deploymentConfiguration @defaults("maximumPercent minimumHealthyPercent") {
  // Upper limit on the number of tasks in a service that are allowed in the RUNNING or PENDING state
  maximumPercent int
  // Lower limit on the number of tasks in a service that must remain in the RUNNING state
  minimumHealthyPercent int
  // Circuit breaker configuration for the deployment
  deploymentCircuitBreaker() aws.ecs.service.deploymentConfiguration.deploymentCircuitBreaker
  // Deployment alarms configuration
  alarms dict
  // Bake time in minutes for blue/green deployments
  bakeTimeInMinutes int
  // Canary configuration for deployments
  canaryConfiguration dict
  // Lifecycle hooks configuration
  lifecycleHooks dict
  // Linear configuration for deployments
  linearConfiguration dict
  // Deployment strategy
  strategy string
}

// Amazon ECS Service Deployment Circuit Breaker
private aws.ecs.service.deploymentConfiguration.deploymentCircuitBreaker {
  // Whether to enable the deployment circuit breaker
  enable bool
  // Whether to enable rollback on deployment failure
  rollback bool
}

// Amazon ECS Service Network Configuration
private aws.ecs.service.networkConfiguration {
  // VPC configuration for the service
  awsVpcConfiguration() aws.ecs.service.networkConfiguration.awsVpcConfiguration
}

// Amazon ECS Service Network Configuration AWS VPC Configuration
private aws.ecs.service.networkConfiguration.awsVpcConfiguration {
  // Subnets associated with the service
  subnets []string
  // Security groups associated with the service
  securityGroups []string
  // Whether to assign a public IP address (ENABLED, DISABLED)
  assignPublicIp string
}

// Amazon ECS Task Definition Container Definition
private aws.ecs.taskDefinition.containerDefinition @defaults("name image") {
  // Name of the container
  name string
  // Docker image used for the container
  image string
  // Whether the container is given elevated privileges on the host container instance
  privileged bool
  // Whether the container is given read-only access to its root filesystem
  readonlyRootFilesystem bool
  // User to run the container as
  user string
  // Environment variables for the container
  environment() []aws.ecs.taskDefinition.containerDefinition.environmentVariable
  // Secrets to pass to the container
  secrets() []aws.ecs.taskDefinition.containerDefinition.secret
  // Log configuration for the container
  logConfiguration() aws.ecs.taskDefinition.containerDefinition.logConfiguration
  // Memory limit (in MiB) for the container
  memory int
  // CPU units for the container
  cpu int
  // Port mappings for the container
  portMappings() []aws.ecs.taskDefinition.containerDefinition.portMapping
  // Whether the container uses an init process (from linuxParameters)
  initProcessEnabled bool
}

// Amazon ECS Task Definition Container Environment Variable
private aws.ecs.taskDefinition.containerDefinition.environmentVariable {
  // Name of the environment variable
  name string
  // Value of the environment variable
  value string
}

// Amazon ECS Task Definition Container Secret
private aws.ecs.taskDefinition.containerDefinition.secret {
  // Name of the secret
  name string
  // ARN or name of the secret from AWS Secrets Manager or Systems Manager Parameter Store
  valueFrom string
}

// Amazon ECS Task Definition Container Log Configuration
private aws.ecs.taskDefinition.containerDefinition.logConfiguration {
  // Log driver to use (e.g., awslogs, json-file, syslog)
  logDriver string
  // Options for the log driver
  options map[string]string
}

// Amazon ECS Task Definition Container Port Mapping
private aws.ecs.taskDefinition.containerDefinition.portMapping {
  // Port number on the container
  containerPort int
  // Port number on the host
  hostPort int
  // Protocol used (tcp, udp)
  protocol string
}

// Amazon ECS Task Definition Volume
private aws.ecs.taskDefinition.volume {
  // Name of the volume
  name string
  // EFS volume configuration
  efsVolumeConfiguration() aws.ecs.taskDefinition.volume.efsVolumeConfiguration
  // Host volume configuration
  host() aws.ecs.taskDefinition.volume.host
  // Docker volume configuration
  dockerVolumeConfiguration() aws.ecs.taskDefinition.volume.dockerVolumeConfiguration
}

// Amazon ECS Task Definition Volume EFS Configuration
private aws.ecs.taskDefinition.volume.efsVolumeConfiguration {
  // ID of the EFS file system
  fileSystemId string
  // Directory within the EFS file system to mount
  rootDirectory string
  // Whether to enable encryption in transit (ENABLED, DISABLED)
  transitEncryption string
  // Port to use for transit encryption
  transitEncryptionPort int
  // Authorization configuration for EFS access
  authorizationConfig() aws.ecs.taskDefinition.volume.efsVolumeConfiguration.authorizationConfig
}

// Amazon ECS Task Definition Volume EFS Authorization Configuration
private aws.ecs.taskDefinition.volume.efsVolumeConfiguration.authorizationConfig {
  // Access point ID to use
  accessPointId string
  // Whether to use IAM authorization (ENABLED, DISABLED)
  iam string
}

// Amazon ECS Task Definition Volume Host Configuration
private aws.ecs.taskDefinition.volume.host {
  // Path on the host container instance
  sourcePath string
}

// Amazon ECS Task Definition Volume Docker Configuration
private aws.ecs.taskDefinition.volume.dockerVolumeConfiguration {
  // Scope of the volume (shared, task)
  scope string
  // Whether the Docker volume is configured to be created automatically
  autoprovision bool
  // Docker volume driver to use
  driver string
  // Driver-specific options
  driverOpts map[string]string
  // Labels for the Docker volume
  labels map[string]string
}

// Amazon ECS Task Definition Ephemeral Storage
private aws.ecs.taskDefinition.ephemeralStorage {
  // Size (in GiB) of ephemeral storage
  sizeInGiB int
}

// Amazon EMR
aws.emr {
  // List of EMR clusters
  clusters() []aws.emr.cluster
}

// Amazon EMR cluster
private aws.emr.cluster @defaults("arn") {
  // ARN for the cluster
  arn string
  // Name of the cluster
  name string
  // An approximation of the cost of the cluster, represented in m1.small/hours
  normalizedInstanceHours int
  // ARN of outpost where cluster is launched
  outpostArn string
  // Details about the current status of the cluster
  status dict
  // List of master instances for the cluster
  masterInstances() []dict
  // EMR cluster ID
  id string
  // Tags for the cluster
  tags() map[string]string
  // Name of the security configuration applied to the cluster
  securityConfiguration() string
  // Encryption configuration from the security configuration
  encryptionConfiguration() aws.emr.cluster.encryptionConfiguration
  // S3 log URI for the cluster
  logUri() string
  // Whether termination protection is enabled for the cluster
  terminationProtected() bool
  // Public DNS name of the master node
  masterPublicDnsName() string
  // KMS key used for log encryption
  logEncryptionKmsKey() aws.kms.key
}

// EMR cluster encryption configuration from the security configuration
private aws.emr.cluster.encryptionConfiguration @defaults("atRestEnabled inTransitEnabled") {
  // Whether at-rest encryption is enabled
  atRestEnabled bool
  // Whether in-transit encryption is enabled
  inTransitEnabled bool
  // At-rest encryption configuration details (S3 and local disk settings)
  atRestConfiguration dict
  // In-transit encryption configuration details (certificate provider settings)
  inTransitConfiguration dict
}

// Amazon EventBridge
aws.eventbridge @defaults("eventBuses") {
  // List of EventBridge event buses
  eventBuses() []aws.eventbridge.eventBus
  // List of EventBridge rules across all event buses
  rules() []aws.eventbridge.rule
  // List of EventBridge pipes
  pipes() []aws.eventbridge.pipe
  // List of EventBridge Scheduler schedules
  schedules() []aws.eventbridge.schedule
  // List of EventBridge Scheduler schedule groups
  scheduleGroups() []aws.eventbridge.scheduleGroup
}

// Amazon EventBridge event bus
private aws.eventbridge.eventBus @defaults("arn name") {
  // ARN of the event bus
  arn string
  // Name of the event bus
  name string
  // Region of the event bus
  region string
  // Tags for the event bus
  tags() map[string]string
  // Rules on this event bus
  rules() []aws.eventbridge.rule
}

// Amazon EventBridge rule
private aws.eventbridge.rule @defaults("arn name state") {
  // ARN of the rule
  arn string
  // Name of the rule
  name string
  // Region of the rule
  region string
  // Name of the event bus this rule belongs to
  eventBusName string
  // State: ENABLED, DISABLED, or ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
  state string
  // Description of the rule
  description string
  // Event pattern (JSON filter)
  eventPattern string
  // Schedule expression (cron or rate)
  scheduleExpression string
  // Deprecated: Use iamRole instead
  roleArn string
  // IAM role associated with the rule
  iamRole() aws.iam.role
  // Tags for the rule
  tags() map[string]string
  // Targets for this rule
  targets() []dict
}

// Amazon EventBridge pipe
private aws.eventbridge.pipe @defaults("arn name currentState") {
  // ARN of the pipe
  arn string
  // Name of the pipe
  name string
  // Region of the pipe
  region string
  // Source resource ARN
  source string
  // Target resource ARN
  target string
  // Enrichment resource ARN
  enrichment string
  // Current state: RUNNING, STOPPED, CREATING, UPDATING, DELETING, STARTING, STOPPING, CREATE_FAILED, UPDATE_FAILED, START_FAILED, STOP_FAILED, DELETE_FAILED, CREATE_ROLLBACK_FAILED, DELETE_ROLLBACK_FAILED, UPDATE_ROLLBACK_FAILED
  currentState string
  // Desired state: RUNNING or STOPPED
  desiredState string
  // Reason for current state
  stateReason string
  // Description of the pipe
  description() string
  // IAM role associated with the pipe
  iamRole() aws.iam.role
  // Tags for the pipe
  tags() map[string]string
  // Date the pipe was created
  createdAt time
  // Date the pipe was last modified
  updatedAt time
}

// Amazon EventBridge Scheduler schedule
private aws.eventbridge.schedule @defaults("arn name state") {
  // ARN of the schedule
  arn string
  // Name of the schedule
  name string
  // Region of the schedule
  region string
  // Schedule group name
  groupName string
  // State: ENABLED or DISABLED
  state string
  // Schedule expression (cron, rate, or at)
  scheduleExpression() string
  // Description of the schedule
  description() string
  // Target ARN
  targetArn() string
  // IAM role used for the target
  iamRole() aws.iam.role
  // KMS key used for encryption
  kmsKey() aws.kms.key
  // Date the schedule was created
  createdAt time
  // Date the schedule was last modified
  updatedAt time
}

// Amazon EventBridge Scheduler schedule group
private aws.eventbridge.scheduleGroup @defaults("arn name state") {
  // ARN of the schedule group
  arn string
  // Name of the schedule group
  name string
  // Region of the schedule group
  region string
  // State: ACTIVE or DELETING
  state string
  // Date the schedule group was created
  createdAt time
  // Date the schedule group was last modified
  updatedAt time
}

// Amazon CloudWatch
aws.cloudwatch {
  // List of CloudWatch log groups
  logGroups() []aws.cloudwatch.loggroup
  // List of CloudWatch alarms
  alarms() []aws.cloudwatch.metricsalarm
  // List of CloudWatch metrics
  metrics() []aws.cloudwatch.metric
}

// Amazon CloudWatch metrics alarm
private aws.cloudwatch.metricsalarm @defaults("arn") {
  // ARN for the metric alarm
  arn string
  // Metric name associated with the alarm
  metricName string
  // Metric namespace associated with the alarm
  metricNamespace string
  // Region where the alarm exists
  region string
  // List of alarm actions (SNS topic ARNs) associated with the alarm
  actions []aws.sns.topic
  // State of the alarm
  state string
  // Description of the reason for the state
  stateReason string
  // List of SNS topic ARNs to trigger for insufficient data actions
  insufficientDataActions []aws.sns.topic
  // List of SNS topic ARNs to trigger for OK actions
  okActions []aws.sns.topic
  // Name of the alarm
  name string
  // Whether actions are enabled for the alarm
  actionsEnabled bool
}

// Amazon CloudWatch metric
private aws.cloudwatch.metric @defaults("name region") {
  // Name of the metric
  name string
  // Namespace for the metric
  namespace string
  // Region where the metric exists
  region string
  // List of CloudWatch metric alarms for the metric
  alarms() []aws.cloudwatch.metricsalarm
  // Dimensions that apply to the metric
  dimensions() []aws.cloudwatch.metricdimension
  // Statistics for the metric
  statistics() aws.cloudwatch.metricstatistics
}

// Amazon CloudWatch metric dimension
aws.cloudwatch.metricdimension @defaults("name value") {
  // Name of the dimension
  name string
  // Value of the dimension
  value string
}

// Amazon CloudWatch metric statistics
aws.cloudwatch.metricstatistics @defaults("name region") {
  init(namespace string, region string, name string)
  // Namespace for the metric
  namespace string
  // Name for the metric
  name string
  // Region for the metrics
  region string
  // Label for the statistics
  label string
  // Datapoints for the statistic over the last 24 hours in hour intervals
  datapoints []aws.cloudwatch.metric.datapoint
}

// Amazon CloudWatch metric datapoint
private aws.cloudwatch.metric.datapoint @defaults("id") {
  // Unique identifier for the datapoint
  id string
  // Timestamp of the metric datapoint
  timestamp time
  // Maximum value for the statistic
  maximum float
  // Minimum value for the statistic
  minimum float
  // Average value for the statistic
  average float
  // Sum value for the statistic
  sum float
  // Unit of the statistic
  unit string
}

// Amazon CloudWatch log group
private aws.cloudwatch.loggroup @defaults("arn") {
  // ARN of the log group
  arn string
  // Name of the log group
  name string
  // List of metric filters associated with the log group
  metricsFilters() []aws.cloudwatch.loggroup.metricsfilter
  // KMS key used for log encryption
  kmsKey() aws.kms.key
  // Region where the log group is stored
  region string
  // Number of days to retain the log events in the specified log group
  retentionInDays int
  // Tags for the log group
  tags() map[string]string
  // Data protection policy status (ACTIVATED, DELETED, ARCHIVED, DISABLED)
  dataProtectionStatus string
  // Whether deletion protection is enabled for the log group
  deletionProtectionEnabled bool
}

// Amazon CloudWatch log group metrics filter
private aws.cloudwatch.loggroup.metricsfilter @defaults("id") {
  // Unique ID for the metric
  id string
  // Filter name associated with the metric
  filterName string
  // Filter pattern associated with the metric
  filterPattern string
  // List of CloudWatch metrics
  metrics []aws.cloudwatch.metric
}

// Amazon CloudFront
aws.cloudfront @defaults("distributions functions") {
  // List of CloudFront distributions
  distributions() []aws.cloudfront.distribution
  // List of CloudFront functions
  functions() []aws.cloudfront.function
}

// Amazon CloudFront distribution
private aws.cloudfront.distribution @defaults("domainName status") {
  // ARN of the CloudFront distribution
  arn string
  // Status of the distribution
  status string
  // Domain Name of the distribution
  domainName string
  // Details on the origins of this distribution
  origins []aws.cloudfront.distribution.origin
  // Default cache behavior for the distribution
  defaultCacheBehavior dict
  // All cache behaviors for the distribution
  cacheBehaviors []dict
  // HTTP version of the distribution
  httpVersion string
  // Whether the distribution is IPV6 enabled
  isIPV6Enabled bool
  // Whether the distribution is enabled
  enabled bool
  // Price class of the distribution
  priceClass string
  // CNAMEs aliases if any for this distribution
  cnames []string
  // Viewer protocol policy for the default cache behavior (allow-all, https-only, or redirect-to-https)
  viewerProtocolPolicy string
  // Minimum SSL/TLS protocol version for viewer connections (e.g., TLSv1.2_2021)
  minimumProtocolVersion string
  // SSL support method: "sni-only", "vip", or "static-ip"
  sslSupportMethod string
  // ARN of the AWS WAF web ACL associated with the distribution (empty string if none)
  webAclId string
  // Type of geographic restriction applied to the distribution (none, whitelist, or blacklist)
  geoRestrictionType string
  // When the distribution was last modified
  lastModifiedAt time
  // User-provided comment or description for the distribution
  comment string
}

// Amazon CloudFront distribution origin
private aws.cloudfront.distribution.origin @defaults("id originPath") {
  // Domain name for the origin
  domainName string
  // Unique id for the origin
  id string
  // Number of times CloudFront attempts to connect
  connectionAttempts int
  // Number of seconds CloudFront waits when attempting a connection
  connectionTimeout int
  // Path that CloudFront appends to original domain
  originPath string
  // Account ID where the origin exists
  account string
}

// Amazon CloudFront function
private aws.cloudfront.function @defaults("name status") {
  // Name of the CloudFront function
  name string
  // Status of the CloudFront function
  status string
  // ARN of the CloudFront function
  arn string
  // Date and time when the function was last updated
  lastModifiedTime time
  // Date and time the function was created
  createdAt time
  // Stage that the function is in
  stage string
  // Comment to describe the function
  comment string
  // Runtime environment for the function
  runtime string
}

// AWS CloudTrail
aws.cloudtrail @defaults("trails") {
  // List of CloudTrail trails associated with the account
  trails() []aws.cloudtrail.trail
}

// AWS CloudTrail trail
private aws.cloudtrail.trail @defaults("name region") {
  // ARN of the trail
  arn string
  // Name of the trail
  name string
  // KMS key used to encrypt the logs
  kmsKey() aws.kms.key
  // Whether the trail exists in multiple regions (false if single region)
  isMultiRegionTrail bool
  // Whether the trail is an organization trail (logs events for management and member accounts of the organization)
  isOrganizationTrail bool
  // Whether log file validation is enabled
  logFileValidationEnabled bool
  // Whether API calls from global services are included
  includeGlobalServiceEvents bool
  // S3 bucket where trail files are delivered
  s3bucket() aws.s3.bucket
  // ARN of the SNS topic that the trail uses to send notifications
  snsTopicARN string
  // JSON list of information about the trail
  status() dict
  // Log group where trail files are delivered
  logGroup() aws.cloudwatch.loggroup
  // Role for logs endpoint to assume when writing to log group
  cloudWatchLogsRoleArn string
  // Group for logs endpoint to assume when writing to log group
  cloudWatchLogsLogGroupArn string
  // Settings for the trail's configured event selectors
  eventSelectors() []dict
  // Region in which the trail was created (home region)
  region string
  // Whether CloudTrail Insights is enabled for the trail (detects unusual API activity)
  hasInsightSelectors bool
  // Whether custom event selectors are configured (enables data event logging for S3/Lambda/DynamoDB)
  hasCustomEventSelectors bool
  // Whether logging is currently enabled for the trail
  isLogging() bool
}

// Amazon S3 bucket control
aws.s3control @defaults("accountPublicAccessBlock") {
  // Account level public access configuration for S3
  accountPublicAccessBlock() dict
}

// Amazon S3 cloud object storage
aws.s3 @defaults("buckets") {
  // List of S3 buckets across the account
  buckets() []aws.s3.bucket
}

// Amazon S3 bucket
private aws.s3.bucket @defaults("name location public") {
  // ARN of the bucket
  arn string
  // Name of the bucket
  name string
  // Policy associated with the bucket
  policy() aws.s3.bucket.policy
  // Tags for the bucket
  tags() map[string]string
  // List of access control grants associated with the bucket
  acl() []aws.s3.bucket.grant
  // Owner for the bucket
  owner() map[string]string
  // Whether the bucket is public
  public() bool
  // List of CORS information for the bucket
  cors() []aws.s3.bucket.corsrule
  // Location of the bucket
  location() string
  // Versioning state and MFA delete status of bucket
  versioning() map[string]string
  // Logging status and user permissions for bucket logging status
  logging() map[string]string
  // Website configuration for the bucket
  // Deprecated: Use `website` instead
  staticWebsiteHosting() map[string]string
  // Website configuration for the bucket
  website() aws.s3.bucket.websiteConfiguration
  // Whether the bucket is locked by default
  defaultLock() string
  // Bucket cross-region replication configuration
  replication() dict
  // Bucket encryption configuration
  encryption() dict
  // Typed encryption rules for the bucket
  encryptionRules() []aws.s3.bucket.encryptionRule
  // Typed replication rules for the bucket
  replicationRules() []aws.s3.bucket.replicationRule
  // Public access block configuration for the bucket
  publicAccessBlock() dict
  // Whether Object Lock is enabled on the bucket (prevents deletion/overwrite for ransomware protection)
  objectLockEnabled() bool
  // Whether the bucket still exists (stale reference)
  exists bool
  // Date and time the bucket was created
  createdAt time
}

// Amazon S3 bucket grant
private aws.s3.bucket.grant @defaults("name permission") {
  // ID of the bucket grant
  id string
  // Name for the bucket grant
  name string
  // Permission associated with the grant
  permission string
  // Grantee associated with the grant
  grantee map[string]string
}

// Amazon S3 bucket CORS rule
private aws.s3.bucket.corsrule @defaults("name") {
  // Name of the rule
  name string
  // List of allowed headers
  allowedHeaders []string
  // List of allowed methods: GET, POST, PUT, and so on
  allowedMethods []string
  // List of origins from which the bucket can be accessed
  allowedOrigins []string
  // List of exposed response headers
  exposeHeaders []string
  // Time in seconds that the browser caches preflight response
  maxAgeSeconds int
}

// Amazon S3 bucket server-side encryption rule
private aws.s3.bucket.encryptionRule @defaults("sseAlgorithm bucketKeyEnabled") {
  // Unique ID for this rule (bucket ARN + index)
  id string
  // Server-side encryption algorithm (AES256, aws:kms, aws:kms:dsse, aws:fsx)
  sseAlgorithm string
  // KMS master key ID for SSE-KMS encryption
  kmsMasterKeyId string
  // Whether an S3 Bucket Key is used for SSE-KMS
  bucketKeyEnabled bool
}

// Amazon S3 bucket replication rule
private aws.s3.bucket.replicationRule @defaults("id status") {
  // Unique internal identifier for this resource
  resourceId string
  // Rule ID
  id string
  // Status of the rule (Enabled, Disabled)
  status string
  // Priority of the rule
  priority int
  // Destination bucket ARN
  destinationBucket string
  // Destination account ID
  destinationAccount string
  // Destination storage class
  destinationStorageClass string
  // Whether delete marker replication is enabled
  deleteMarkerReplicationEnabled bool
  // Prefix filter (deprecated, but still used)
  prefix string
}

// Amazon S3 bucket policy
private aws.s3.bucket.policy @defaults("bucketName version") {
  // Unique ID for the policy
  name string
  // Bucket name that this policy belongs
  bucketName string
  // Document for the policy
  document string
  // Version of the policy
  version() string
  // List of statements for the policy
  statements() []dict
}

private aws.s3.bucket.websiteConfiguration {
  // Name of the index document
  indexDocument string
  // Name of the error document
  errorDocument string
  // Redirect configuration
  redirectAllRequestsTo aws.s3.bucket.websiteConfiguration.redirectAllRequestsToConf
  // Routing rules for the website
  routingRules []aws.s3.bucket.websiteConfiguration.routingRule
}

private aws.s3.bucket.websiteConfiguration.redirectAllRequestsToConf @defaults("hostname protocol") {
  // Hostname to redirect all requests to
  hostname string
  // Protocol to use when redirecting requests (http, https)
  protocol string
}

private aws.s3.bucket.websiteConfiguration.routingRule {
  // Redirect configuration for the routing rule
  redirect aws.s3.bucket.websiteConfiguration.routingRule.redirectConf
  // Condition for the routing rule
  condition aws.s3.bucket.websiteConfiguration.routingRule.conditionConf
}

private aws.s3.bucket.websiteConfiguration.routingRule.redirectConf {
  // Hostname to redirect to
  hostname string
  // HTTP redirect code to use
  httpRedirectCode string
  // Protocol to use when redirecting requests (http, https)
  protocol string
  // Key prefix to replace in the request
  replaceKeyPrefixWith string
  // Key to replace in the request
  replaceKeyWith string
}

private aws.s3.bucket.websiteConfiguration.routingRule.conditionConf {
  // HTTP error code to apply the routing rule to
  httpErrorCodeReturnedEquals string
  // Key prefix to apply the routing rule to
  keyPrefixEquals string
}

// AWS Application Auto Scaling
aws.applicationAutoscaling @defaults("namespace") {
  init(namespace string)
  // Service namespace to query for application auto scaling: comprehend, rds, sagemaker, appstream, elasticmapreduce, dynamodb, lambda, ecs, cassandra, ec2, neptune, kafka, custom-resource, elasticache, or workspaces
  namespace string
  // List of scalable targets belonging to the service namespace
  scalableTargets() []aws.applicationAutoscaling.target
}

// AWS Application Auto Scaling target
private aws.applicationAutoscaling.target @defaults("arn") {
  // Namespace for the target
  namespace string
  // ARN of the auto scaling target
  arn string
  // Resource identifier for the target
  resourceId string
  // Region where the target exists
  region string
  // Scalable dimension for the target
  scalableDimension string
  // Minimum capacity set for the auto scaling target
  minCapacity int
  // Maximum capacity set for the auto scaling target
  maxCapacity int
  // suspendedState for the auto scaling target
  suspendedState dict
  // Creation date for the auto scaling target
  createdAt time
  // Scaling policies attached to this target
  policies() []aws.applicationAutoscaling.policy
  // Scheduled scaling actions for this target
  scheduledActions() []aws.applicationAutoscaling.scheduledAction
}

// AWS Application Auto Scaling policy
private aws.applicationAutoscaling.policy @defaults("arn name policyType") {
  // ARN of the scaling policy
  arn string
  // Name of the scaling policy
  name string
  // Type of scaling policy: TargetTrackingScaling, StepScaling, or PredictiveScaling
  policyType string
  // Resource identifier associated with the policy
  resourceId string
  // Scalable dimension associated with the policy
  scalableDimension string
  // Service namespace
  namespace string
  // Date the policy was created
  createdAt time
  // CloudWatch alarms associated with the policy
  alarms []dict
  // Target tracking scaling policy configuration
  targetTrackingConfig dict
  // Step scaling policy configuration
  stepScalingConfig dict
  // Predictive scaling policy configuration
  predictiveScalingConfig dict
}

// AWS Application Auto Scaling scheduled action
private aws.applicationAutoscaling.scheduledAction @defaults("arn name schedule") {
  // ARN of the scheduled action
  arn string
  // Name of the scheduled action
  name string
  // Schedule expression (cron, rate, or at)
  schedule string
  // Timezone for the schedule
  timezone string
  // Resource identifier associated with the action
  resourceId string
  // Scalable dimension associated with the action
  scalableDimension string
  // Service namespace
  namespace string
  // Date the scheduled action was created
  createdAt time
  // Date the action is scheduled to start
  startAt time
  // Date the action is scheduled to end
  endAt time
  // Min and max capacity to set when the action runs
  scalableTargetAction dict
}

// AWS Elastic Disaster Recovery (DRS)
aws.drs @defaults("sourceServers") {
  // List of source servers being replicated
  sourceServers() []aws.drs.sourceServer
  // List of DRS jobs (recovery, drill, failback)
  jobs() []aws.drs.job
}

// AWS DRS source server
private aws.drs.sourceServer @defaults("sourceServerID arn") {
  // Source server ID
  sourceServerID string
  // Source server ARN
  arn string
  // Data replication status and progress
  dataReplicationInfo dict
  // Result of last launch (NOT_STARTED, PENDING, SUCCEEDED, FAILED)
  lastLaunchResult string
  // Lifecycle state information
  lifeCycle dict
  // Source server properties (OS, disks, network)
  sourceProperties dict
  // Staging area configuration
  stagingArea dict
  // Replication direction: FAILOVER_AND_FAILBACK or ONE_WAY
  replicationDirection string
  // ID of last recovery instance
  recoveryInstanceId string
  // Resource tags
  tags map[string]string
  // Replication settings for this server
  replicationConfiguration() aws.drs.replicationConfiguration
  // Launch settings for this server
  launchConfiguration() aws.drs.launchConfiguration
}

// AWS DRS job
private aws.drs.job @defaults("jobID type status") {
  // Job ID
  jobID string
  // Job ARN
  arn string
  // Job type (LAUNCH, CREATE_CONVERTED_SNAPSHOT, TERMINATE)
  type string
  // Job status (PENDING, STARTED, COMPLETED)
  status string
  // How job was initiated (START_RECOVERY, START_DRILL, FAILBACK, DIAGNOSTIC, TERMINATE_RECOVERY_INSTANCES, TARGET_ACCOUNT, CREATE_NETWORK_RECOVERY, UPDATE_NETWORK_RECOVERY, or ASSOCIATE_NETWORK_RECOVERY)
  initiatedBy string
  // Job creation timestamp
  createdAt time
  // Job completion timestamp
  endedAt time
  // Servers participating in job
  participatingServers []dict
}

// AWS DRS replication configuration
private aws.drs.replicationConfiguration @defaults("sourceServerID") {
  // Associated source server ID
  sourceServerID string
  // Staging area subnet ID
  stagingAreaSubnetId string
  // Staging area tags
  stagingAreaTags map[string]string
  // Whether to use dedicated replication server
  useDedicatedReplicationServer bool
  // EC2 instance type for replication server
  replicationServerInstanceType string
  // EBS encryption mode (DEFAULT, CUSTOM)
  ebsEncryption string
  // Custom KMS key for EBS encryption
  ebsEncryptionKeyArn string
  // Disk replication configuration
  replicatedDisks []dict
  // Bandwidth throttling in Mbps
  bandwidthThrottling int
}

// AWS DRS launch configuration
private aws.drs.launchConfiguration @defaults("sourceServerID") {
  // Associated source server ID
  sourceServerID string
  // Instance type right sizing method (NONE, BASIC, IN_AWS)
  targetInstanceTypeRightSizingMethod string
  // Launch disposition: STOPPED or STARTED
  launchDisposition string
  // Whether to copy private IP
  copyPrivateIp bool
  // Whether to copy tags
  copyTags bool
  // EC2 launch template ID
  ec2LaunchTemplateID string
  // Licensing configuration
  licensing dict
  // Post-launch actions
  postLaunchEnabled bool
  // Launch into instance properties
  launchIntoInstanceProperties dict
}

// AWS Backup
aws.backup @defaults("vaults") {
  // List of vaults for the service
  vaults() []aws.backup.vault
  // List of backup plans
  plans() []aws.backup.plan
}

// AWS Backup vault
private aws.backup.vault @defaults("name region") {
  // ARN of the vault
  arn string
  // Name of the vault
  name string
  // List of recovery points stored in the backup vault
  recoveryPoints() []aws.backup.vaultRecoveryPoint
  // Region of the vault
  region string
  // Date the backup vault was created
  createdAt time
  // Whether the backup is locked
  locked bool
  // Date when the backup was locked
  lockedAt time
  // ARN of the encryption key
  encryptionKeyArn string
  // The maximum retention period that the vault retains its recovery points
  maxRetentionDays int
  // The minimum retention period that the vault retains its recovery points
  minRetentionDays int
}

// AWS Backup vault recovery point
private aws.backup.vaultRecoveryPoint @defaults("resourceType completionDate status") {
  // ARN of the recovery point
  arn string
  // Resource type for the recovery point: EFS, DynamoDB, and so on
  resourceType string
  // Information about who created the recovery point
  createdBy dict
  // ARN of the IAM role used to create the recovery point
  iamRoleArn string
  // Status of the recovery point
  status string
  // Date the recovery point was created
  createdAt time
  // Date the recovery point completed
  completionDate time
  // ARN of the key used to encrypt the recovery point
  encryptionKeyArn string
  // Whether the recovery point is encrypted
  isEncrypted bool
}

// AWS Backup lifecycle settings
private aws.backup.lifecycle @defaults("deleteAfterDays moveToColdStorageAfterDays") {
  // Unique identifier
  id string
  // Number of days after creation that a recovery point is deleted
  deleteAfterDays int
  // Number of days after creation that a recovery point is moved to cold storage
  moveToColdStorageAfterDays int
  // Whether to opt in to archive for supported resources
  optInToArchiveForSupportedResources bool
}

// AWS Backup plan
private aws.backup.plan @defaults("name region") {
  // Plan ARN
  arn string
  // Plan ID
  id string
  // Plan name
  name string
  // Plan version ID
  versionId string
  // Region of the plan
  region string
  // Date the plan was created
  createdAt time
  // Date the plan was last executed
  lastExecutionDate time
  // Date the plan was deleted (if applicable)
  deletionDate time
  // Rules for the backup plan
  rules() []aws.backup.plan.rule
  // Advanced backup settings for the plan
  advancedBackupSettings []aws.backup.plan.advancedBackupSetting
}

// AWS Backup plan advanced backup setting
private aws.backup.plan.advancedBackupSetting @defaults("resourceType") {
  // Unique identifier
  id string
  // Resource type (e.g., EC2)
  resourceType string
  // Backup options (e.g., WindowsVSS, S3BackupACLs)
  backupOptions map[string]string
}

// AWS Backup plan rule
private aws.backup.plan.rule @defaults("ruleName targetBackupVaultName") {
  // Rule ID
  id string
  // Display name of the rule
  ruleName string
  // Name of the target backup vault
  targetBackupVaultName string
  // CRON expression for the backup schedule
  scheduleExpression string
  // Timezone for the schedule expression
  scheduleExpressionTimezone string
  // Number of minutes before a backup job must be started
  startWindowMinutes int
  // Number of minutes after a backup job starts before it must be completed
  completionWindowMinutes int
  // Whether continuous backups are enabled
  enableContinuousBackup bool
  // Lifecycle settings for the recovery point (transition to cold storage, deletion)
  lifecycle aws.backup.lifecycle
  // Copy actions for cross-region or cross-account backup copies
  copyActions []aws.backup.plan.rule.copyAction
  // Tags assigned to recovery points created by this rule
  recoveryPointTags map[string]string
}

// AWS Backup plan rule copy action
private aws.backup.plan.rule.copyAction @defaults("destinationBackupVaultArn") {
  // Unique identifier
  id string
  // ARN of the destination backup vault
  destinationBackupVaultArn string
  // Number of days after creation that a recovery point is deleted
  deleteAfterDays int
  // Number of days after creation that a recovery point is moved to cold storage
  moveToColdStorageAfterDays int
  // Whether to opt in to archive for supported resources
  optInToArchiveForSupportedResources bool
}

// Amazon DynamoDB
aws.dynamodb {
  // List of backups for DynamoDB
  backups() []dict
  // List of global tables for DynamoDB
  globalTables() []aws.dynamodb.globaltable
  // List of tables for DynamoDB
  tables() []aws.dynamodb.table
  // List of DynamoDB settings across all regions
  limits() []aws.dynamodb.limit
  // List of exports for DynamoDB
  exports() []aws.dynamodb.export
  // List of DAX clusters
  daxClusters() []aws.dynamodb.dax.cluster
}

// Amazon DynamoDB Accelerator (DAX) cluster
private aws.dynamodb.dax.cluster @defaults("arn clusterName") {
  // ARN for the DAX cluster
  arn string
  // Name of the DAX cluster
  clusterName string
  // Description of the cluster
  description string
  // Node type for the nodes in the cluster
  nodeType string
  // Current status of the cluster
  status string
  // Total number of nodes in the cluster
  totalNodes int
  // Number of active nodes in the cluster
  activeNodes int
  // Region where the cluster exists
  region string
  // Whether server-side encryption (SSE) is enabled (ENABLING, ENABLED, DISABLING, DISABLED)
  sseStatus string
  // Cluster endpoint encryption type (NONE or TLS)
  clusterEndpointEncryptionType string
  // Tags for the cluster
  tags() map[string]string
}

// Amazon DynamoDB Export
private aws.dynamodb.export {
  // Table associated with the export
  table() aws.dynamodb.table
  // S3 bucket associated with the export
  s3Bucket() aws.s3.bucket
  // S3 prefix for the export
  s3Prefix() string
  // Count of items in the export
  itemCount() int
  // Type of the export (FULL_EXPORT or INCREMENTAL_EXPORT)
  type string
  // Status of the export (IN_PROGRESS, COMPLETED, or FAILED)
  status string
  // Format of the export (DYNAMODB_JSON or ION)
  format() string
  // Start time of the export
  startTime() time
  // End time of the export
  endTime() time
  // S3 SSE Algorithm for the export
  s3SseAlgorithm() string
  // SSE KMS Key
  kmsKey() aws.kms.key
  // ARN for the export
  arn string
}

// Amazon DynamoDB limits
private aws.dynamodb.limit @defaults("arn") {
  // ARN representing the account + region where the limit applies
  arn string
  // Region where the limits apply
  region string
  // Account max read limit
  accountMaxRead int
  // Account max write limit
  accountMaxWrite int
  // Table max read limit
  tableMaxRead int
  // Table max write limit
  tableMaxWrite int
}

// Amazon DynamoDB global table
private aws.dynamodb.globaltable @defaults("name") {
  // ARN for the global table
  arn string
  // Table name
  name string
  // List of replica settings for the table
  replicaSettings() []dict
}

// Amazon DynamoDB table
private aws.dynamodb.table @defaults("name region") {
  // ARN for the table
  arn string
  // Table ID
  id string
  // Table name
  name string
  // Region where the table exists
  region string
  // Backups for the table
  backups() []dict
  // Description of server-side encryption for the table
  sseDescription dict
  // Type of server-side encryption: "AES256" (AWS-owned) or "KMS" (customer-managed or AWS-managed KMS key)
  sseType string
  // KMS key used for server-side encryption at rest
  sseKmsKey() aws.kms.key
  // Provisioned throughput settings for the table
  provisionedThroughput dict
  // Continuous backups and point-in-time recovery settings for the table
  continuousBackups() dict
  // Tags for the table
  tags() map[string]string
  // Date and time the table was created
  createdAt time
  // Whether deletion protection is enabled
  deletionProtectionEnabled bool
  // Global table version
  globalTableVersion string
  // Number of items in the table
  items int
  // Total size of the specified table, in bytes. DynamoDB updates this value approximately every six hours.
  sizeBytes int
  // Latest stream for this table
  latestStreamArn string
  // Current state of the table: CREATING, UPDATING, DELETING, ACTIVE, INACCESSIBLE_ENCRYPTION_CREDENTIALS, ARCHIVING, ARCHIVED, or REPLICATION_NOT_AUTHORIZED
  status string
  // Label of the latest DynamoDB stream
  latestStreamLabel string
  // Table class: STANDARD or STANDARD_INFREQUENT_ACCESS
  tableClass string
  // Whether DynamoDB Streams is enabled on the table
  streamEnabled bool
  // Type of information written to the stream: KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, or NEW_AND_OLD_IMAGES
  streamViewType string
  // Billing mode: PROVISIONED or PAY_PER_REQUEST
  billingMode string
  // Regions where the table is replicated (global tables)
  replicaRegions []string
}

// Amazon Simple Queue Service (SQS)
aws.sqs {
  // List of Amazon SQS queues
  queues() []aws.sqs.queue
}

// Amazon Simple Queue Service (SQS) Queue
private aws.sqs.queue {
  // ARN for the queue
  arn() string
  // Time when the queue was created
  createdAt() time
  // Dead letter SQS queue, if any
  deadLetterQueue() aws.sqs.queue
  // Delay seconds set on the queue
  deliveryDelaySeconds() int
  // KMS Key for SSE, if any
  kmsKey() aws.kms.key
  // Time when the queue was last modified
  lastModified() time
  // Maximum amount of messages that can be received by the queue
  maxReceiveCount() int
  // Maximum message size for the queue
  maximumMessageSize() int
  // Time in seconds the queue retains messages
  messageRetentionPeriodSeconds() int
  // Time in seconds the queue waits for messages
  receiveMessageWaitTimeSeconds() int
  // Region for the queue
  region string
  // Whether SSE is enabled for the queue
  sqsManagedSseEnabled() bool
  // Type of queue: Fifo or Standard
  queueType() string
  // URL for the queue
  url string
  // Visibility timeout for the queue
  visibilityTimeoutSeconds() int
  // Deduplication scope for FIFO queues (queue or messageGroup)
  deduplicationScope() string
  // FIFO throughput limit (perQueue or perMessageGroupId)
  fifoThroughputLimit() string
  // Access policy for the queue (parsed JSON)
  policy() dict
}

// Amazon Relational Database Service (RDS)
aws.rds {
  // List of database instances
  instances() []aws.rds.dbinstance
  // List of RDS database clusters
  clusters() []aws.rds.dbcluster
  // List of all pending maintenance actions for the database instance
  allPendingMaintenanceActions() []aws.rds.pendingMaintenanceAction
  // List of all parameter groups
  parameterGroups() []aws.rds.parameterGroup
  // List of all cluster parameter groups
  clusterParameterGroups() []aws.rds.clusterParameterGroup
  // List of RDS proxies
  proxies() []aws.rds.proxy
}

// Amazon RDS Backup Setting
private aws.rds.backupsetting {
  // Target for the backup setting
  target string
  // Retention period for the backup setting
  retentionPeriod int
  // Whether dedicated log volume is enabled for the backup setting
  dedicatedLogVolume bool
  // Whether backups have encryption turned on
  encrypted bool
  // KMS key associated with the backup setting
  kmsKey() aws.kms.key
  // Region for the backup setting
  region string
  // Status of the backup setting
  status string
  // Timezone for the backup setting
  timezone string
  // Time of earliest available restore
  earliestRestoreAvailable time
  // Time of latest available restore
  latestRestoreAvailable time
}

// Amazon RDS database cluster
aws.rds.dbcluster @defaults("id region engine engineVersion") {
  // ARN for the database cluster
  arn string
  // Region where the database cluster exists
  region string
  // Identifier for the database cluster
  id string
  // List of database instances that belong to the cluster
  members []aws.rds.dbinstance
  // List of snapshots for the cluster
  snapshots() []aws.rds.snapshot
  // Tags for the database cluster
  tags map[string]string
  // Whether the cluster is encrypted
  storageEncrypted bool
  // Type of encryption for data at rest: "none", "sse-rds", or "sse-kms"
  storageEncryptionType string
  // Amount of storage, in GiB, provisioned on the cluster
  storageAllocated int
  // Storage IOPS provisioned on the cluster
  storageIops int
  // Type of storage provisioned on the cluster
  storageType string
  // Current state of the cluster
  status string
  // Date and time the RDS cluster was created
  createdAt time
  // Number of days automated snapshots are retained
  backupRetentionPeriod int
  // Whether minor version patches are applied automatically
  autoMinorVersionUpgrade bool
  // Name of the compute and memory capacity class of the cluster database instances
  clusterDbInstanceClass string
  // Name of the database engine for this database cluster
  engine string
  // Version of the database engine for this DB cluster
  engineVersion string
  // Whether the cluster is publicly accessible. Note: This will only return a value for non-Aurora Multi-AZ DB clusters
  publiclyAccessible bool
  // Whether the cluster is a Multi-AZ deployment
  multiAZ bool
  // Whether deletion protection is enabled
  deletionProtection bool
  // List of VPC security group elements that the database cluster belongs to
  securityGroups() []aws.ec2.securitygroup
  // List of Availability Zones (AZs) where instances in the database cluster can be created
  availabilityZones []string
  // Port on which the database engine is listening
  port int
  // Connection endpoint for the primary instance of the database cluster
  endpoint string
  // Cluster hosted zone ID
  hostedZoneId string
  // Master username for the database
  masterUsername string
  // Latest time to which a database can be restored with point-in-time restore
  latestRestorableTime time
  // Backup setting for the database cluster
  backupSettings() []aws.rds.backupsetting
  // Life cycle type for the database engine. By default, this value is set to `open-source-rds-extended-support`, which enrolls your DB engine into Amazon RDS Extended Support. At the end of standard support, you can avoid charges for Extended Support by setting the value to `open-source-rds-extended-support-disabled`. In this case, creating the DB engine will fail if the DB major version is past its end of standard support date.
  engineLifecycleSupport string
  // Expiration date for the instance certificate
  certificateExpiresAt time
  // ID of the Certificate Authority
  certificateAuthority string
  // Whether IAM database authentication is enabled
  iamDatabaseAuthentication bool
  // Mode of the database activity stream
  activityStreamMode string
  // Status of the database activity stream
  activityStreamStatus string
  // Interval, in seconds, between points when Enhanced Monitoring metrics are collected
  monitoringInterval int
  // Network type of the DB instance
  networkType string
  // Preferred maintenance window for the database cluster
  preferredMaintenanceWindow string
  // Preferred backup window for the database cluster
  preferredBackupWindow string
  // Whether the HTTP API endpoint is enabled
  httpEndpointEnabled bool
  // Container for engine configuration values
  parameterGroupName string
  // Global cluster identifier if the cluster is a global cluster member
  globalClusterIdentifier string
  // CloudWatch Database Insights mode. Possible values are `standard` and `advanced`
  databaseInsightsMode string
  // KMS key used for storage encryption
  kmsKey() aws.kms.key
  // Whether Performance Insights is enabled for the DB cluster
  performanceInsightsEnabled bool
  // DB engine mode (provisioned, serverless, parallelquery, global)
  engineMode string
  // Earliest point-in-time restore timestamp
  earliestRestorableTime time
  // KMS key used to encrypt the activity stream
  activityStreamKmsKey() aws.kms.key
  // Master user secret managed by Secrets Manager
  masterUserSecret dict
  // Whether tags are automatically copied to snapshots of the DB cluster
  copyTagsToSnapshot bool
}

// Amazon RDS snapshot
private aws.rds.snapshot @defaults("id region type encrypted createdAt") {
  // ARN of the snapshot
  arn string
  // ID of the snapshot
  id string
  // Attribute values that describe permissions to restore the snapshot
  attributes() []dict
  // Type of snapshot: manual or automated
  type string
  // Whether the snapshot is encrypted
  encrypted bool
  // Type of encryption for data at rest: "none", "sse-rds", or "sse-kms"
  storageEncryptionType string
  // Region where the snapshot exists
  region string
  // Whether the snapshot is for a cluster
  isClusterSnapshot bool
  // Tags for the snapshot
  tags map[string]string
  // Snapshot DB engine
  engine string
  // Snapshot DB engine version
  engineVersion string
  // Snapshot status
  status string
  // Port that the database instance or cluster listens on
  port int
  // Allocated storage size in gibibytes (GiB)
  allocatedStorage int
  // Creation date of the snapshot
  createdAt time
  // KMS key used for snapshot encryption
  kmsKey() aws.kms.key
}

// Amazon RDS database instance
aws.rds.dbinstance @defaults("id region engine engineVersion") {
  // ARN for the database instance
  arn string
  // Identifier for the database instance
  id string
  // Name of the database instance
  name string
  // Number of days automated snapshots are retained
  backupRetentionPeriod int
  // List of snapshots for the database instance
  snapshots() []aws.rds.snapshot
  // Whether the instance is encrypted
  storageEncrypted bool
  // Type of encryption for data at rest: "none", "sse-rds", or "sse-kms"
  storageEncryptionType string
  // Amount of storage, in GiB, provisioned on the instance
  storageAllocated int
  // Storage IOPS provisioned on the instance
  storageIops int
  // Type of storage provisioned on the instance
  storageType string
  // Region where the instance exists
  region string
  // Availability zone where the instance exists
  availabilityZone string
  // Whether the instance is publicly accessible
  publiclyAccessible bool
  // List of log types the instance is configured to export to CloudWatch logs
  enabledCloudwatchLogsExports []string
  // Whether deletion protection is enabled
  deletionProtection bool
  // Whether the instance is a Multi-AZ deployment
  multiAZ bool
  // Interval, in seconds, between points when Enhanced Monitoring metrics are collected
  monitoringInterval int
  // ARN of the CloudWatch log stream that receives the enhanced monitoring metrics data
  enhancedMonitoringResourceArn string
  // Tags for the database instance
  tags map[string]string
  // Name of the compute and memory capacity class of the database instance
  dbInstanceClass string
  // User-supplied unique key that identifies a database instance
  dbInstanceIdentifier string
  // Name of the database engine for this database instance
  engine string
  // Version of the database engine for this database instance
  engineVersion string
  // List of VPC security group elements that the database instance belongs to
  securityGroups() []aws.ec2.securitygroup
  // Current state of this database
  status string
  // Whether minor version patches are applied automatically
  autoMinorVersionUpgrade bool
  // Date and time the RDS instance was created
  createdAt time
  // Port that the database instance listens on. If the database instance is part of a DB cluster, this can be a different port than the DB cluster port.
  port int
  // Connection endpoint for the database instance
  endpoint string
  // Master username for the database instance
  masterUsername string
  // Latest time to which a database can be restored with point-in-time restore
  latestRestorableTime time
  // Backup setting for the database instance
  backupSettings() []aws.rds.backupsetting
  // Subnet for the RDS instance
  subnets() []aws.vpc.subnet
  // Life cycle type for the database engine. By default, this value is set to `open-source-rds-extended-support`, which enrolls your DB engine into Amazon RDS Extended Support. At the end of standard support, you can avoid charges for Extended Support by setting the value to `open-source-rds-extended-support-disabled`. In this case, creating the DB engine will fail if the DB major version is past its end of standard support date.
  engineLifecycleSupport string
  // Expiration date for the instance certificate
  certificateExpiresAt time
  // ID of the Certificate Authority
  certificateAuthority string
  // Whether IAM database authentication is enabled
  iamDatabaseAuthentication bool
  // Assigned IAM instance profile
  customIamInstanceProfile string
  // Mode of the database activity stream
  activityStreamMode string
  // Status of the database activity stream
  activityStreamStatus string
  // List of pending maintenance actions for the database instance
  pendingMaintenanceActions() []aws.rds.pendingMaintenanceAction
  // Network type of the DB instance
  networkType string
  // Preferred maintenance window for the database cluster
  preferredMaintenanceWindow string
  // Preferred backup window for the database cluster
  preferredBackupWindow string
  // KMS key used for storage encryption
  kmsKey() aws.kms.key
  // Whether Performance Insights is enabled for the DB instance
  performanceInsightsEnabled bool
  // Whether tags are automatically copied to snapshots of the DB instance
  copyTagsToSnapshot bool
  // KMS key used to encrypt Performance Insights data
  performanceInsightsKmsKey() aws.kms.key
  // License model for the DB instance
  licenseModel string
  // Upper limit to which Amazon RDS can automatically scale the storage of the DB instance
  maxAllocatedStorage int
  // Whether a dedicated log volume is enabled
  dedicatedLogVolume bool
  // Region-unique immutable identifier for the DB instance
  dbiResourceId string
  // Cluster identifier if the instance belongs to a DB cluster
  dbClusterIdentifier string
  // Storage throughput in MiBps for gp3 volumes
  storageThroughput int
  // KMS key used to encrypt the activity stream
  activityStreamKmsKey() aws.kms.key
  // Master user secret managed by Secrets Manager
  masterUserSecret dict
  // Whether the DB instance uses a customer-owned IP address (CoIP) for Outpost deployments
  customerOwnedIpEnabled bool
}

// Amazon RDS pending maintenance action
private aws.rds.pendingMaintenanceAction {
  // ARN for resource
  resourceArn string
  // Action to take
  action string
  // Description of the action
  description string
  // Auto applied after date
  autoAppliedAfterDate time
  // Current apply date
  currentApplyDate time
  // Forced apply date
  forcedApplyDate time
  // Opt-in status
  optInStatus string
}

// Amazon RDS cluster parameter groups
aws.rds.clusterParameterGroup @defaults("name family region arn") {
  // ARN for resource
  arn string
  // Family of the parameter group
  family string
  // Name of the parameter group
  name string
  // Description of the parameter group
  description string
  // Region of the parameters
  region string
  parameters() []aws.rds.parameterGroup.parameter
}

// Amazon RDS parameter groups
aws.rds.parameterGroup @defaults("name family region arn") {
  // ARN for resource
  arn string
  // Family of the parameter group
  family string
  // Name of the parameter group
  name string
  // Description of the parameter group
  description string
  // Region of the parameters
  region string
  // The parameters of the group
  parameters() []aws.rds.parameterGroup.parameter
}

aws.rds.parameterGroup.parameter @defaults("name value") {
  // Specifies the valid range of values for the parameter
  allowedValues string
  // When to apply parameter updates
  applyMethod string
  // Specifies the engine specific parameters type
  applyType string
  // Specifies the valid data type for the parameter
  dataType string
  // Provides a description of the parameter
  description string
  // being changed
  isModifiable bool
  // The earliest engine version to which the parameter can apply
  minimumEngineVersion string
  // The name of the parameter
  name string
  // The value of the parameter
  value string
  // The source of the parameter value
  source string
  // The valid DB engine modes
  supportedEngineModes []string
}


// Amazon ElastiCache
aws.elasticache @defaults("cacheClusters") {
  // List of cache clusters
  cacheClusters() []aws.elasticache.cluster
  // List of serverless caches
  serverlessCaches() []aws.elasticache.serverlessCache
}

// Amazon ElastiCache cluster
private aws.elasticache.cluster @defaults("cacheClusterId region nodeType engine") {
  // ARN for the cluster
  arn string
  // Whether the cluster has at rest encryption enabled
  atRestEncryptionEnabled bool
  // Whether Redis authentication tokens (or passwords) enable Redis to require a password before allowing clients to run commands
  authTokenEnabled bool
  // Date and time authentication token was last modified
  authTokenLastModifiedDate time
  // Whether the cluster is configured to auto-upgrade to the next minor version (Redis 6.0 or later)
  autoMinorVersionUpgrade bool
  // Date and time when the cluster was created
  cacheClusterCreateTime time
  // User-supplied unique key that identifies the cluster
  cacheClusterId string
  // Current state of the cluster: available, creating, deleted, deleting, incompatible-network, modifying, rebooting cluster nodes, restore-failed, or snapshotting
  cacheClusterStatus string
  // Name of the compute and memory capacity node type for the cluster
  cacheNodeType string
  // A list of cache nodes that are members of the cluster
  cacheNodes []string
  // A list of cache security group elements, composed of name and status sub-elements
  cacheSecurityGroups []string
  // Name of the cache subnet group associated with the cluster
  cacheSubnetGroupName string
  // URL of the web page where you can download the latest ElastiCache client library
  clientDownloadLandingPage string
  // Node type for the nodes in the cluster
  nodeType string
  // Name of the cache engine used for this cluster: Memcached or Redis
  engine string
  // Version of the cache engine that is used in this cluster
  engineVersion string
  // Network type associated with the cluster: ipv4 or ipv6
  ipDiscovery string
  // Log delivery configurations being modified
  logDeliveryConfigurations []dict
  // Supported network connection type for the cluster: ipv4, ipv6, or dual_stack
  networkType string
  // Describes a notification topic and its status
  notificationConfiguration string
  // Number of cache nodes in the cluster
  numCacheNodes int
  // Name of the availability zone in which the cluster is located or "Multiple" if the cache nodes are located in different availability zones
  preferredAvailabilityZone string
  // Region where the cluster exists
  region string
  // A list of VPC security groups associated with the cluster
  securityGroups() []aws.ec2.securitygroup
  // Number of days ElastiCache retains automatic cluster snapshots before deleting them
  snapshotRetentionLimit int
  // The daily time range (in UTC) during which ElastiCache begins taking a daily snapshot of your shard.
  snapshotWindow string
  // Whether in-transit encryption is enabled
  transitEncryptionEnabled bool
  // Whether migrating clients to use in-transit encryption (with no downtime) is allowed
  transitEncryptionMode string
  // KMS key used for at-rest encryption
  kmsKey() aws.kms.key
  // Specifies the weekly time range during which maintenance on the cluster is performed
  preferredMaintenanceWindow string
  // Whether log delivery is enabled for the replication group
  replicationGroupLogDeliveryEnabled bool
}

// Amazon ElastiCache serverless cache
private aws.elasticache.serverlessCache @defaults("name description status engine engineVersion") {
  // ARN for the cache
  arn string
  // Unique identifier of the serverless cache
  name string
  // Description of the serverless cache
  description string
  // Cache engine used for this cluster: Memcached or Redis
  engine string
  // Version of the cache engine that is used in this cluster
  engineVersion string
  // Version number of the engine with which the serverless cache is compatible
  majorEngineVersion string
  // ID of the Amazon Web Services Key Management Service (KMS) key
  // Deprecated: use kmsKey() instead
  kmsKeyId string
  // KMS key used to encrypt the serverless cache
  kmsKey() aws.kms.key
  // A list of VPC security groups associated with the cluster
  securityGroups() []aws.ec2.securitygroup
  // Number of days ElastiCache retains automatic cluster snapshots before deleting them
  snapshotRetentionLimit int
  // Time each day that a cache snapshot is created
  dailySnapshotTime string
  // Status of the serverless cache
  status string
  // Region where the cache exists
  region string
  // Time when the serverless cache was created
  createdAt time
  // Subnets associated with the serverless cache
  subnets() []aws.vpc.subnet
}

// Amazon Redshift
aws.redshift @defaults("clusters") {
  // List of clusters
  clusters() []aws.redshift.cluster
}

// Amazon Redshift cluster
private aws.redshift.cluster @defaults("dbName clusterVersion clusterStatus region") {
  // Whether major upgrades are applied automatically
  allowVersionUpgrade bool
  // ARN for the cluster
  arn string
  // Number of days automatic cluster snapshots are retained
  automatedSnapshotRetentionPeriod int
  // Availability zone where the cluster exists
  availabilityZone string
  // List of cluster parameter group names
  clusterParameterGroupNames []string
  // Specific revision number of the database in the cluster
  clusterRevisionNumber string
  // Current state of this cluster: available, cancelling-resize, creating, deleting, final-snapshot, hardware-failure, incompatible-hsm, incompatible-network, incompatible-parameters, incompatible-restore, modifying, paused, rebooting, renaming, resizing, rotating-keys, storage-full, or updating-hsm
  clusterStatus string
  // Name of the subnet group associated with the cluster
  clusterSubnetGroupName string
  // Version of the Redshift engine running on the cluster
  clusterVersion string
  // Cluster creation timestamp
  createdAt time
  // Name of the initial database that was created when the cluster was created
  dbName string
  // Whether the cluster is encrypted at rest
  encrypted bool
  // KMS key used to encrypt the cluster
  kmsKey() aws.kms.key
  // Whether enhanced VPC routing is enabled for the cluster traffic
  enhancedVpcRouting bool
  // Logging configuration for the cluster
  logging() dict
  // Master user name for the cluster.
  masterUsername string
  // Name of the initial database created when cluster was created
  name string
  // Next scheduled maintenance window
  nextMaintenanceWindowStartTime time
  // Node type for the nodes in the cluster
  nodeType string
  // Number of nodes in the cluster
  numberOfNodes int
  // Detailed list of parameters for each parameter group name
  parameters() []dict
  // Weekly time range for system maintenance (in UTC)
  preferredMaintenanceWindow string
  // Whether the cluster is publicly accessible
  publiclyAccessible bool
  // Region where the cluster exists
  region string
  // Tags for the cluster
  tags map[string]string
  // ID of the VPC where the cluster is running
  // Deprecated: use vpc() instead
  vpcId string
  // VPC where the cluster is running
  vpc() aws.vpc
  // Availability status (Available, Unavailable, Maintenance, Modifying)
  clusterAvailabilityStatus string
  // Total storage capacity in megabytes
  totalStorageCapacityInMegaBytes int
  // Name of the maintenance track for the cluster
  maintenanceTrackName string
  // HSM status for the cluster
  hsmStatus dict
  // Status of modifications to the cluster (e.g., resizing)
  modifyStatus string
  // Whether the cluster is a Multi-AZ deployment
  multiAZ bool
  // Number of days manual snapshots are retained (-1 means indefinite)
  manualSnapshotRetentionPeriod int
  // IP address type for the cluster (ipv4 or dualstack)
  ipAddressType string
  // KMS key used to encrypt the master password secret in Secrets Manager
  masterPasswordSecretKmsKey() aws.kms.key
  // Snapshots for this cluster
  snapshots() []aws.redshift.snapshot
}

// Amazon Redshift cluster snapshot
private aws.redshift.snapshot @defaults("arn clusterIdentifier status createdAt") {
  // Snapshot ARN
  arn string
  // Snapshot identifier
  id string
  // Cluster identifier
  clusterIdentifier string
  // Region where the snapshot exists
  region string
  // Snapshot type (manual or automated)
  snapshotType string
  // Snapshot status
  status string
  // Whether the snapshot data is encrypted
  encrypted bool
  // Whether the snapshot data is encrypted using a hardware security module
  encryptedWithHSM bool
  // Port the cluster was listening on at the time of the snapshot
  port int
  // Node type of the nodes in the cluster
  nodeType string
  // Number of nodes in the cluster
  numberOfNodes int
  // Master user name for the cluster
  masterUsername string
  // Name of the database
  dbName string
  // Availability zone of the cluster
  availabilityZone string
  // Version of the cluster engine at time of snapshot
  clusterVersion string
  // Full engine version of the cluster
  engineFullVersion string
  // Whether enhanced VPC routing was enabled
  enhancedVpcRouting bool
  // Number of days manual snapshots are retained (-1 means indefinite)
  manualSnapshotRetentionPeriod int
  // Total size of the data in the snapshot in megabytes
  totalBackupSizeInMegaBytes float
  // Time the snapshot was taken
  createdAt time
  // Time the source cluster was created
  clusterCreatedAt time
  // Tags for the snapshot
  tags map[string]string
  // KMS key used for the encrypted snapshot
  kmsKey() aws.kms.key
}

// Amazon Route 53 DNS service
aws.route53 {
  // List of all hosted zones in the account
  hostedZones() []aws.route53.hostedZone
  // List of all health checks in the account
  healthChecks() []aws.route53.healthCheck
  // List of all query logging configurations
  queryLoggingConfigs() []aws.route53.queryLoggingConfig
  // List of registered domains (via Route 53 Domains)
  domains() []aws.route53.domain
}

// Route 53 hosted zone
private aws.route53.hostedZone @defaults("id name type isPrivate") {
  // Unique identifier for the hosted zone (e.g., /hostedzone/Z1234567890ABC)
  id string
  // Name of the domain (e.g., example.com.)
  name string
  // Number of resource record sets in the hosted zone
  resourceRecordSetCount int
  // Hosted zone type: PUBLIC or PRIVATE
  type string
  // Hosted zone configuration including comment and private zone settings
  config dict
  // Whether this is a private hosted zone
  isPrivate bool
  // Comment associated with the hosted zone
  comment string
  // List of VPCs associated with a private hosted zone
  vpcs() []dict
  // ARN of the hosted zone
  arn string
  // Tags associated with the hosted zone
  tags map[string]string
  // DNS resource record sets in this hosted zone
  records() []aws.route53.record
  // Nameservers for this hosted zone
  nameServers() []string
  // Query logging configuration, if enabled
  queryLoggingConfig() aws.route53.queryLoggingConfig
  // DNSSEC status for this zone
  dnssecStatus() dict
  // Key signing keys for DNSSEC
  keySigningKeys() []aws.route53.keySigningKey
}

// Route 53 DNS resource record set
private aws.route53.record @defaults("name type") {
  // Hosted zone ID this record belongs to
  hostedZoneId string
  // Fully qualified domain name (e.g., www.example.com.)
  name string
  // DNS record type (A, AAAA, CNAME, MX, TXT, SOA, NS, SRV, PTR, CAA, etc.)
  type string
  // Time to live in seconds
  ttl int
  // List of resource record values (IP addresses, domain names, etc.)
  resourceRecords() []string
  // Alias target configuration (for AWS resource aliases)
  aliasTarget() dict
  // Whether this is an alias record
  isAlias bool
  // DNS name of the alias target (if alias record)
  aliasTargetDnsName string
  // Hosted zone ID of the alias target
  aliasTargetHostedZoneId string
  // Whether to evaluate target health for alias records
  aliasEvaluateTargetHealth bool
  // Routing policy identifier (for weighted, latency, failover, geolocation routing)
  setIdentifier string
  // Weight for weighted routing policy (0-255)
  weight int
  // AWS region for latency-based routing
  region string
  // Failover type: PRIMARY or SECONDARY
  failover string
  // Geographic location for geolocation routing
  geoLocation() dict
  // Geographic proximity routing bias
  geoProximityLocation() dict
  // Multi-value answer routing flag
  multiValueAnswer bool
  // Associated health check ID
  healthCheckId string
  // Health check details
  healthCheck() aws.route53.healthCheck
  // CIDR routing configuration
  cidrRoutingConfig() dict
  // Traffic policy instance ID (if managed by traffic policy)
  trafficPolicyInstanceId string
}

// Route 53 health check
private aws.route53.healthCheck @defaults("id type protocol") {
  // Unique identifier for the health check
  id string
  // ARN of the health check
  arn string
  // Tags associated with the health check
  tags map[string]string
  // Health check type: HTTP, HTTPS, TCP, CALCULATED, CLOUDWATCH_METRIC
  type string
  // Protocol: HTTP, HTTPS, or TCP. Empty for non-endpoint types (CALCULATED, CLOUDWATCH_METRIC, RECOVERY_CONTROL)
  protocol string
  // IP address of the endpoint
  ipAddress string
  // Fully qualified domain name of the endpoint
  fullyQualifiedDomainName string
  // Port to check (default: 80 for HTTP, 443 for HTTPS, 80 for TCP)
  port int
  // Path to request for HTTP/HTTPS health checks
  resourcePath string
  // Search string for HTTP/HTTPS health checks
  searchString string
  // Request interval in seconds (10 or 30)
  requestInterval int
  // Number of consecutive checks before changing status (2-10)
  failureThreshold int
  // Whether to measure latency
  measureLatency bool
  // Whether to enable SNI for HTTPS checks
  enableSNI bool
  // Regions to check from
  regions() []string
  // Health check status (e.g., "Success: HTTP Status Code 200, OK")
  status() string
  // For CALCULATED health checks: child health check IDs
  childHealthChecks() []string
  // Minimum number of healthy children required
  healthThreshold int
  // For CLOUDWATCH_METRIC health checks: alarm configuration
  cloudWatchAlarmConfiguration() dict
  // Whether the health check is inverted
  inverted bool
  // Whether health checks are disabled
  disabled bool
  // Caller reference (unique client identifier)
  callerReference string
}

// Route 53 query logging configuration
private aws.route53.queryLoggingConfig @defaults("id hostedZoneId") {
  // Unique identifier for the configuration
  id string
  // Hosted zone ID being logged
  hostedZoneId string
  // CloudWatch Logs log group ARN where queries are logged
  cloudWatchLogsLogGroupArn string
  // Associated hosted zone
  hostedZone() aws.route53.hostedZone
}

// Route 53 DNSSEC key signing key
private aws.route53.keySigningKey @defaults("name status") {
  // Name of the key signing key
  name string
  // ARN of the KMS key used for signing
  kmsArn string
  // Hosted zone ID
  hostedZoneId string
  // Flag value (always 257 for KSK)
  flag int
  // Signing algorithm name
  signingAlgorithmMnemonic string
  // Signing algorithm type
  signingAlgorithmType int
  // Digest algorithm name
  digestAlgorithmMnemonic string
  // Digest algorithm type
  digestAlgorithmType int
  // Key tag
  keyTag int
  // Digest value (base64)
  digestValue string
  // Public key (base64)
  publicKey string
  // DS record for parent zone
  dsRecord string
  // DNSKEY record
  dnskeyRecord string
  // Status: ACTIVE, INACTIVE, DELETING, ACTION_NEEDED, INTERNAL_FAILURE
  status string
  // Status message
  statusMessage string
  // Creation timestamp
  createdDate time
  // Last modification timestamp
  lastModifiedDate time
  // Associated hosted zone
  hostedZone() aws.route53.hostedZone
  // KMS key resource
  kmsKey() aws.kms.key
}

// Amazon Route 53 registered domain
private aws.route53.domain @defaults("domainName autoRenew transferLock") {
  // Registered domain name
  domainName string
  // Whether auto-renewal is enabled
  autoRenew bool
  // Whether transfer lock is enabled
  transferLock bool
  // Domain expiration date
  expiresAt time
  // Domain creation date
  createdAt() time
  // Domain last updated date
  updatedAt() time
  // Whether admin contact privacy protection is enabled
  adminPrivacy() bool
  // Whether registrant contact privacy protection is enabled
  registrantPrivacy() bool
  // Whether tech contact privacy protection is enabled
  techPrivacy() bool
  // DNSSEC configuration status
  dnssec() string
  // EPP status codes (e.g., clientTransferProhibited)
  statusList() []string
  // Nameservers for the domain
  nameservers() []dict
  // Registrar name
  registrarName() string
  // Abuse contact email
  abuseContactEmail() string
}

// AWS Elastic Container Registry (ECR)
aws.ecr {
  // List of private repositories
  privateRepositories() []aws.ecr.repository
  // List of public repositories associated with the AWS account
  publicRepositories() []aws.ecr.repository
  // List of images
  images() []aws.ecr.image
}

// AWS Elastic Container Registry repository
private aws.ecr.repository @defaults("uri region") {
  // ARN of the repository
  arn string
  // Name of the repository
  name string
  // URI of the repository, used for push/pull operations
  uri string
  // AWS Account ID associated with public registry for this repository
  registryId string
  // Whether the repository is public
  public bool
  // List of images in the repository
  images() []aws.ecr.image
  // Region where the image is stored
  region string
  // Whether the repository option to scan on image push is enabled
  imageScanOnPush bool
  // Whether image tags are immutable (MUTABLE or IMMUTABLE); immutable tags prevent image overwrites
  imageTagMutability string
  // Encryption type for images at rest (AES256, KMS, or KMS_DSSE)
  encryptionType string
  // When the repository was created
  createdAt time
  // Scanning frequency for the repository: SCAN_ON_PUSH, CONTINUOUS_SCAN, or MANUAL
  scanningFrequency() string
  // Access policy for the repository (parsed JSON; private repositories only)
  policy() dict
  // Lifecycle policy for the repository
  lifecyclePolicy() aws.ecr.lifecyclePolicy
  // About text from catalog data (public repositories only)
  aboutText() string
  // Usage text from catalog data (public repositories only)
  usageText() string
  // Short description from catalog data (public repositories only)
  catalogDescription() string
  // Operating systems from catalog data (public repositories only)
  operatingSystems() []string
  // Architectures from catalog data (public repositories only)
  architectures() []string
}

// AWS ECR repository lifecycle policy
private aws.ecr.lifecyclePolicy @defaults("rules") {
  // Unique identifier for this lifecycle policy
  id string
  // Time the lifecycle policy was last evaluated
  lastEvaluatedAt time
  // Rules in the lifecycle policy
  rules []aws.ecr.lifecyclePolicy.rule
}

// AWS ECR lifecycle policy rule
private aws.ecr.lifecyclePolicy.rule @defaults("rulePriority description") {
  // Unique identifier for this rule
  id string
  // Priority of the rule (lower numbers are evaluated first)
  rulePriority int
  // Description of the rule
  description string
  // Tag status filter: tagged, untagged, or any
  tagStatus string
  // Tag pattern list for filtering images (glob patterns)
  tagPatternList []string
  // Tag prefix list for filtering images
  tagPrefixList []string
  // Count type: imageCountMoreThan, sinceImagePushed, sinceImagePulled, or sinceImageTransitioned
  countType string
  // Count unit for time-based rules (days)
  countUnit string
  // Count number threshold
  countNumber int
  // Action type: expire or transition
  actionType string
}

// AWS Elastic Container Registry image
private aws.ecr.image @defaults("uri region") {
  // SHA256 of the image manifest
  digest string
  // Type of image manifest
  mediaType string
  // List of tags associated with image
  tags []string
  // AWS account ID associated with public registry for this image
  registryId string
  // Name of the repository for the image
  repoName string
  // Region where the ECR image is located
  region string
  // ARN for the image
  arn string
  // URI for the image repository
  uri string
  // Time the image was pushed
  pushedAt time
  // Size of the image in bytes
  sizeInBytes int
  // Time of the most recent image pull (Amazon only refreshes this data once every 24 hours.)
  lastRecordedPullTime time
}

// AWS Database Migration Service (DMS)
aws.dms @defaults("replicationInstances") {
  // List of DMS replication instances
  replicationInstances() []dict
}

// Amazon API Gateway
aws.apigateway @defaults("restApis") {
  // List of `aws.apigateway.restapi` objects representing all rest APIs across all enabled regions in the account
  restApis() []aws.apigateway.restapi
}

// Amazon API Gateway REST API
private aws.apigateway.restapi @defaults("name id") {
  // ARN for the REST API
  arn string
  // Unique ID for the REST API
  id string
  // Name for the REST API
  name string
  // Time when the REST API was created
  createdDate time
  // Description for the REST API
  description string
  // Stages for the REST API
  stages() []aws.apigateway.stage
  // Region where the REST API exists
  region string
  // Tags for the REST API
  tags map[string]string
  // Source of the API key for metering requests (HEADER or AUTHORIZER)
  apiKeySource string
  // Whether the default execute-api endpoint is disabled
  disableExecuteApiEndpoint bool
  // Minimum payload size in bytes for compression (0 to enable for all, -1 if disabled)
  minimumCompressionSize int
  // Supported binary media types
  binaryMediaTypes []string
  // Version identifier for the API
  version string
  // TLS version and cipher suite for the API (TLS_1_0, TLS_1_2, SecurityPolicy_TLS13_1_3_2025_09, SecurityPolicy_TLS13_1_3_FIPS_2025_09, SecurityPolicy_TLS13_1_2_PFS_PQ_2025_09, SecurityPolicy_TLS13_1_2_FIPS_PQ_2025_09, SecurityPolicy_TLS13_1_2_FIPS_PFS_PQ_2025_09, SecurityPolicy_TLS13_1_2_PQ_2025_09, SecurityPolicy_TLS13_1_2_2021_06, SecurityPolicy_TLS13_2025_EDGE, SecurityPolicy_TLS12_PFS_2025_EDGE, SecurityPolicy_TLS12_2018_EDGE)
  securityPolicy string
  // Resource policy for the API (JSON string)
  policy string
}

// Amazon API Gateway REST API stages
private aws.apigateway.stage @defaults("arn") {
  // ARN for the REST API stage
  arn string
  // Name for the stage
  name string
  // Whether tracing is enabled for the stage
  tracingEnabled bool
  // Description for the stage
  description string
  // ID of the deployment the stage is attached to
  deploymentId string
  // Method settings for the stage
  methodSettings dict
  // Whether a cache cluster is enabled for the stage
  cacheClusterEnabled bool
  // Size of the cache cluster (0.5, 1.6, 6.1, 13.5, 28.4, 58.2, 118, 237)
  cacheClusterSize string
  // Status of the cache cluster
  cacheClusterStatus string
  // Client certificate ID for mutual TLS with backend
  clientCertificateId string
  // ARN of the WAF web ACL associated with the stage
  webAclArn string
  // Time when the stage was created
  createdAt time
  // Time when the stage was last updated
  lastUpdatedAt time
  // Documentation version associated with the stage
  documentationVersion string
  // Stage variables
  variables map[string]string
  // Tags for the stage
  tags map[string]string
}

// AWS Lambda
aws.lambda {
  // List of Lambda functions across all regions in the account
  functions() []aws.lambda.function
  // List of Lambda layers across all regions in the account
  layers() []aws.lambda.layer
  // List of event source mappings across all regions in the account
  eventSourceMappings() []aws.lambda.eventSourceMapping
}

// AWS Lambda function
private aws.lambda.function @defaults("arn") {
  // ARN of the function
  arn string
  // Name of the function
  name string
  // Runtime environment for the function
  runtime string
  // Concurrency limit for the function
  concurrency() int
  // Target ARN of the dead-letter queue config
  dlqTargetArn string
  // Policy for the function
  policy() dict
  // VPC configuration for the Lambda function
  // Deprecated: use vpc(), subnets(), and securityGroups() instead
  vpcConfig dict
  // VPC the Lambda function is connected to
  vpc() aws.vpc
  // Subnets the Lambda function is connected to
  subnets() []aws.vpc.subnet
  // Security groups associated with the Lambda function
  securityGroups() []aws.ec2.securitygroup
  // Region where the function exists
  region string
  // Tags for the function
  tags() map[string]string
  // Instruction set architectures supported by the function (x86_64, arm64)
  architectures []string
  // Size of the /tmp directory in MB (512-10240)
  ephemeralStorageSize int
  // Amount of memory available to the function at runtime in MB
  memorySize int
  // IAM execution role for the function
  role() aws.iam.role
  // Maximum execution time in seconds before the function is stopped (1-900)
  timeout int
  // Function entry point handler (e.g., index.handler)
  handler string
  // AWS X-Ray tracing mode for the function (Active or PassThrough)
  tracingMode string
  // Deployment package type (Zip or Image)
  packageType string
  // SHA-256 hash of the function deployment package
  codeSha256 string
  // Human-readable description of the function
  description string
  // When the function was last updated
  lastModifiedAt time
  // Function URL configuration (null if no URL is configured)
  urlConfig() aws.lambda.function.urlConfig
  // Current state of the function (Active, Inactive, Pending, Failed)
  state string
  // Size of the function deployment package in bytes
  codeSize int
  // Reason for the function's current state
  stateReason string
  // Status of the last function update (Successful, Failed, InProgress)
  lastUpdateStatus string
  // Reason for the last update status
  lastUpdateStatusReason string
  // KMS key ARN used to encrypt environment variables
  // Deprecated: use kmsKey() instead
  kmsKeyArn string
  // KMS key used to encrypt environment variables
  kmsKey() aws.kms.key
  // Environment variables configured for the function
  environment map[string]string
  // Layers attached to the function
  layers []aws.lambda.function.layer
  // Logging configuration for the function
  loggingConfig aws.lambda.function.loggingConfig
  // SnapStart apply mode: PublishedVersions or None
  snapStartApplyOn string
  // SnapStart optimization status: On or Off
  snapStartOptimizationStatus string
  // EFS file system mount configurations
  fileSystemConfigs []dict
  // Code signing profile version ARN
  signingProfileVersionArn string
  // Code signing job ARN
  signingJobArn string
  // Event source mappings for this function
  eventSourceMappings() []aws.lambda.eventSourceMapping
  // Aliases for this function
  aliases() []aws.lambda.function.alias
  // Provisioned concurrency configurations for this function
  provisionedConcurrencyConfigs() []aws.lambda.function.provisionedConcurrencyConfig
  // Code signing configuration (null if not configured)
  codeSigningConfig() aws.lambda.codeSigningConfig
}

// AWS Lambda function URL configuration
private aws.lambda.function.urlConfig @defaults("functionUrl authType") {
  // Function URL endpoint
  functionUrl string
  // Authentication type for the function URL: AWS_IAM or NONE
  authType string
  // Allowed origins for CORS requests
  corsAllowOrigins []string
  // Allowed HTTP methods for CORS requests
  corsAllowMethods []string
  // Allowed headers for CORS requests
  corsAllowHeaders []string
  // Whether credentials are included in CORS requests
  corsAllowCredentials bool
  // Response headers to expose in CORS requests
  corsExposeHeaders []string
  // Maximum time in seconds that browsers can cache CORS results
  corsMaxAge int
  // When the function URL was created
  createdAt time
  // When the function URL was last modified
  lastModifiedAt time
}

// Logging configuration for an AWS Lambda function
private aws.lambda.function.loggingConfig @defaults("logFormat logGroup") {
  // Log format: Text or JSON
  logFormat string
  // Application log level: TRACE, DEBUG, INFO, WARN, ERROR, FATAL
  applicationLogLevel string
  // System log level: DEBUG, INFO, WARN
  systemLogLevel string
  // CloudWatch log group name
  logGroup string
}

// Layer attached to an AWS Lambda function
private aws.lambda.function.layer @defaults("arn") {
  // ARN of the function layer version
  arn string
  // Size of the layer archive in bytes
  codeSize int
  // ARN of the signing job
  signingJobArn string
  // ARN of the signing profile version
  signingProfileVersionArn string
}

// AWS Lambda layer
private aws.lambda.layer @defaults("arn name") {
  // ARN of the layer
  arn string
  // Name of the layer
  name string
  // ARN of the latest layer version
  latestVersionArn string
  // Latest version number
  latestVersion int
  // Description of the latest version
  description string
  // Compatible runtimes for the latest version
  compatibleRuntimes []string
  // Compatible instruction set architectures for the latest version
  compatibleArchitectures []string
  // When the latest version was created
  createdDate time
  // License information for the latest version
  licenseInfo string
}

// AWS Lambda event source mapping
private aws.lambda.eventSourceMapping @defaults("uuid eventSourceArn") {
  // UUID of the event source mapping
  uuid string
  // ARN of the event source
  eventSourceArn string
  // ARN of the Lambda function
  functionArn string
  // Region where the event source mapping exists
  region string
  // State of the event source mapping: Creating, Enabling, Enabled, Disabling, Disabled, Updating, Deleting
  state string
  // Reason for the current state transition
  stateTransitionReason string
  // Maximum number of records in each batch
  batchSize int
  // Maximum time in seconds to gather records before invoking the function
  maximumBatchingWindowInSeconds int
  // Number of batches to process concurrently from each shard
  parallelizationFactor int
  // Maximum number of retry attempts (-1 for infinite)
  maximumRetryAttempts int
  // Maximum age of a record in seconds (-1 for infinite)
  maximumRecordAgeInSeconds int
  // Whether to split the batch on function error
  bisectBatchOnFunctionError bool
  // When the event source mapping was last modified
  lastModified time
  // Result of the last processing attempt
  lastProcessingResult string
  // Kafka topics for the event source mapping
  topics []string
  // Amazon MQ broker destination queues
  queues []string
  // Duration in seconds of the tumbling window
  tumblingWindowInSeconds int
  // Position in stream to start reading: AT_TIMESTAMP, LATEST, TRIM_HORIZON
  startingPosition string
  // ARN of the on-failure destination
  onFailureDestinationArn string
  // Filter criteria as JSON
  filterCriteria dict
  // Maximum concurrency for SQS event sources
  maximumConcurrency int
}

// AWS Lambda function alias
private aws.lambda.function.alias @defaults("arn name") {
  // ARN of the alias
  arn string
  // Name of the alias
  name string
  // Function version that the alias invokes
  functionVersion string
  // Description of the alias
  description string
  // Unique identifier that changes when the alias is updated
  revisionId string
  // Traffic-shifting configuration weights (version to weight percentage, e.g. "2": 0.5)
  routingConfigWeights map[string]float
}

// AWS Lambda function provisioned concurrency configuration
private aws.lambda.function.provisionedConcurrencyConfig @defaults("functionArn status") {
  // ARN of the alias or version
  functionArn string
  // Requested provisioned concurrency amount
  requestedConcurrentExecutions int
  // Allocated provisioned concurrency amount
  allocatedConcurrentExecutions int
  // Available provisioned concurrency amount
  availableConcurrentExecutions int
  // Status of the allocation: IN_PROGRESS, READY, FAILED
  status string
  // Reason for the current status
  statusReason string
  // When the configuration was last modified
  lastModified time
}

// AWS Lambda code signing configuration
private aws.lambda.codeSigningConfig @defaults("arn") {
  // ARN of the code signing configuration
  arn string
  // Unique identifier of the code signing configuration
  id string
  // Description of the code signing configuration
  description string
  // Allowed publisher signing profile version ARNs
  allowedPublisherProfileArns []string
  // Action on untrusted artifact deployment: Warn or Enforce
  untrustedArtifactOnDeployment string
  // When the configuration was last modified
  lastModified time
}

// Amazon Systems Manager
aws.ssm @defaults("instances") {
  // List of SSM instances
  instances() []aws.ssm.instance
  // List of SSM parameters
  parameters() []aws.ssm.parameter
}


// Amazon SSM parameter
private aws.ssm.parameter {
  // Allowed pattern for the parameter
  allowedPattern string
  // ARN for the parameter
  arn string
  // Region for the parameter
  region string
  // Data type for the parameter
  dataType string
  // Description for the parameter
  description string
  // KMS key associated with the parameter (if any)
  kmsKey() aws.kms.key
  // Date when the parameter was last modified
  lastModifiedDate time
  // Name of the parameter
  name string
  // Tier of the parameter (Standard, Advanced, or Intelligent-Tiering)
  tier string
  // Type of the parameter (String, StringList, or SecureString)
  type string
  // Version of the parameter
  version int
}

// Amazon SSM instance
private aws.ssm.instance @defaults("instanceId region platformName platformVersion ipAddress") {
  // Instance ID for the SSM Instance
  instanceId string
  // Ping status (such as online) for the SSM Instance
  pingStatus string
  // IP Address for the SSM instance
  ipAddress string
  // Platform name for the SSM Instance, as described by AWS
  platformName string
  // Type of platform for the SSM Instance, as described by AWS: Windows, Linux, and so on
  platformType string
  // Platform version for the SSM Instance, as described by AWS
  platformVersion string
  // Region where the SSM instance is located
  region string
  // ARN for the SSM instance
  arn string
  // Tags for the SSM instance
  tags() map[string]string
  // Version of the SSM Agent running on the instance
  agentVersion string
  // Last time the agent pinged the SSM service
  lastPingedAt time
  // Fully qualified hostname of the managed node
  computerName string
}

// Amazon EC2
aws.ec2 {
  // List of security groups available to the account
  securityGroups() []aws.ec2.securitygroup
  // List of instances across the AWS account (all regions)
  instances() []aws.ec2.instance
  // map[region]boolean used to denote if EBS encryption is on by default per region
  ebsEncryptionByDefault() map[string]bool
  // List of volumes across the AWS account
  volumes() []aws.ec2.volume
  // List of snapshots across the account
  snapshots() []aws.ec2.snapshot
  // List of internet gateways
  internetGateways() []aws.ec2.internetgateway
  // List of VPN connections
  vpnConnections() []aws.ec2.vpnconnection
  // List of network ACLs
  networkAcls() []aws.ec2.networkacl
  // List of keypairs for the account
  keypairs() []aws.ec2.keypair
  // List of Elastic IPs (EIPs)
  eips() []aws.ec2.eip
  // List of AMI images owned by the account
  images() []aws.ec2.image
  // List of transit gateways
  transitGateways() []aws.ec2.transitgateway
  // List of launch templates
  launchTemplates() []aws.ec2.launchtemplate
}

// Amazon Elastic IP (EIP)
private aws.ec2.eip @defaults("publicIp attached privateIpAddress") {
  // Public IP address of the EIP
  publicIp string
  // Whether the Elastic IP is associated with an instance (false if no allocationId is present)
  attached bool
  // EC2 instance associated with the EIP
  instance() aws.ec2.instance
  // ID of the network interface
  networkInterfaceId string
  // ID of the network interface owner
  networkInterfaceOwnerId string
  // Private IP address for the EIP
  privateIpAddress string
  // IPv4 pool of the EIP
  publicIpv4Pool string
  // Tags for the EIP
  tags map[string]string
  // Region where the EIP is located
  region string
}

// Amazon VPC NAT Gateway
private aws.vpc.natgateway {
  // Time when the gateway was created
  createdAt time
  // ID of the NAT gateway
  natGatewayId string
  // State of the NAT gateway (pending, failed, available, deleting, or deleted)
  state string
  // Tags for the NAT gateway
  tags map[string]string
  // VPC associated with the NAT gateway
  vpc() aws.vpc
  // List of addresses associated with the NAT gateway
  addresses []aws.vpc.natgateway.address
  // Subnet for the NAT gateway
  subnet() aws.vpc.subnet
}

// Amazon VPC NAT gateway address
private aws.vpc.natgateway.address {
  // Allocation ID for the address
  allocationId string
  // Network interface ID for the address
  networkInterfaceId string
  // Private IP associated with the address
  privateIp string
  // EIP associated with the address
  publicIp() aws.ec2.eip // AllocationId can get us back to the actual EIP
  // Whether this is the primary address for the NAT gateway
  isPrimary bool
}

// Amazon VPC Service Endpoint
private aws.vpc.serviceEndpoint {
  // Whether acceptance is required
  acceptanceRequired() bool
  // List of availability zones for the service endpoint
  availabilityZones() []string
  // List of base endpoint DNS names for the service endpoint
  dnsNames []string
  // Service ID
  id string
  // Whether the service endpoint manages VPC endpoints
  managesVpcEndpoints() bool
  // Service name
  name string
  // Service owner
  owner string
  // Service payer responsibility
  payerResponsibility() string
  // Service private DNS name verification state
  privateDnsNameVerificationState() string
  // List of service private DNS names
  privateDnsNames() []string
  // Tags for the service endpoint
  tags map[string]string
  // Service type
  type string
  // Whether the service supports VPC endpoint policy
  vpcEndpointPolicySupported() bool
}

// Amazon VPC Peering Connection
private aws.vpc.peeringConnection {
  // VPC for the peering connection acceptor
  acceptorVpc() aws.vpc.peeringConnection.peeringVpc
  // Expiration time for the peering connection
  expirationTime time
  // ID of the peering connection
  id string
  // VPC for the peering connection requestor
  requestorVpc() aws.vpc.peeringConnection.peeringVpc
  // Status of the peering connection
  status string
  // Tags for the peering connection
  tags map[string]string
}

// Amazon VPC Peering Connection Peering VPC
private aws.vpc.peeringConnection.peeringVpc {
  // Whether DNS resolution from the remote VPC is allowed
  allowDnsResolutionFromRemoteVpc bool
  // List of IPv4 CIDR blocks for peering connection
  ipv4CiderBlocks []string
  // List of IPv6 CIDR blocks for peering connection
  ipv6CiderBlocks []string
  // Owner ID of the peering connection
  ownerID string
  // Region of the peering connection
  region string
  // VPC associated with the peering connection (populated if it's in the same account)
  vpc() aws.vpc
  // ID of the VPC associated with the peering connection
  vpcId string
}

// Amazon EC2 network ACL
private aws.ec2.networkacl @defaults("id region") {
  // ARN for the network ACL
  arn string
  // ID for the network ACL
  id string
  // Region for the network ACL
  region string
  // Entries for the network ACL
  entries() []aws.ec2.networkacl.entry
  // Whether the ACL is the default network ACL for the VPC
  isDefault bool
  // Tags for the network ACL
  tags map[string]string
  // Associations for the network ACL
  associations []aws.ec2.networkacl.association
}

private aws.ec2.networkacl.association {
  // ID for the association
  associationId string
  // Network ACL ID for the association
  networkAclId string
  // Subnet ID for the association
  subnetId string
}

// Amazon EC2 network ACL entry
private aws.ec2.networkacl.entry @defaults("id egress ruleAction cidrBlock portRange") {
  // Whether this is an entry for egress rules
  egress bool
  // Allow or deny
  ruleAction string
  // Rule number
  ruleNumber int
  // Protocol number (-1 for all, 6 for TCP, 17 for UDP)
  protocol string
  // Port range for the ACL entry
  portRange() aws.ec2.networkacl.entry.portrange
  // CIDR block for the ACL entry
  cidrBlock string
  // IPv6 CIDR block for the ACL entry
  ipv6CidrBlock string
  // ID for the ACL entry rule
  id string
}

// Amazon EC2 network ACL entry port range
private aws.ec2.networkacl.entry.portrange @defaults("from to") {
  // Starting port for port range
  from int
  // Ending port for port range
  to int
  // ID for the entry port range
  id string
}

// Amazon EC2 VPN connection
private aws.ec2.vpnconnection @defaults("arn") {
  // ARN for the VPN connection
  arn string
  // List of telemetry data for the VPN
  vgwTelemetry []aws.ec2.vgwtelemetry
}

// Amazon EC2 VPN tunnel telemetry
private aws.ec2.vgwtelemetry {
  // Outside IP address
  outsideIpAddress string
  // VPN tunnel status
  status string
  // VPN tunnel status message
  statusMessage string
}

// Amazon EC2 internet gateway
private aws.ec2.internetgateway @defaults("arn") {
  // ARN for the gateway
  arn string
  // ID for the gateway
  id string
  // Region where the internet gateway exists
  region string
  // VPC attachments
  attachments []dict
  // Tags on the internet gateway
  tags map[string]string
}

// Amazon EC2 transit gateway
private aws.ec2.transitgateway @defaults("arn id state") {
  // Transit gateway ARN
  arn string
  // Transit gateway ID
  id string
  // AWS account ID of the transit gateway owner
  ownerId string
  // State of the transit gateway (available, deleting, deleted, pending, modifying, etc.)
  state string
  // Description of the transit gateway
  description string
  // Region where the transit gateway exists
  region string
  // Creation timestamp
  createdAt time
  // Tags on the transit gateway
  tags map[string]string
  // Private Autonomous System Number (ASN) for the Amazon side of a BGP session
  amazonSideAsn int
  // Whether attachment requests are automatically accepted
  autoAcceptSharedAttachments bool
  // Whether resource attachments are automatically associated with the default route table
  defaultRouteTableAssociation bool
  // Whether resource attachments automatically propagate routes to the default route table
  defaultRouteTablePropagation bool
  // Whether DNS support is enabled
  dnsSupport bool
  // Whether multicast is enabled
  multicastSupport bool
  // Whether Equal Cost Multipath Protocol support is enabled
  vpnEcmpSupport bool
  // Transit gateway CIDR blocks
  transitGatewayCidrBlocks []string
  // ID of the default association route table
  associationDefaultRouteTableId string
  // ID of the default propagation route table
  propagationDefaultRouteTableId string
}

// Amazon EC2 launch template
private aws.ec2.launchtemplate @defaults("name region") {
  // Launch template ID
  id string
  // ARN of the launch template
  arn string
  // Name of the launch template
  name string
  // Region for the launch template
  region string
  // Time the launch template was created
  createdAt time
  // Principal that created the launch template
  createdBy string
  // Default version number
  defaultVersion int
  // Latest version number
  latestVersion int
  // Tags for the launch template
  tags map[string]string
  // User data from the default version (base64-decoded)
  userData() string
}

// Amazon EC2 (EBS) snapshot
private aws.ec2.snapshot @defaults("id region volumeSize state") {
  // ARN for the snapshot
  arn string
  // ID for the snapshot
  id string
  // Region where the snapshot exists
  region string
  // Users/groups that have the permissions to create volumes from the snapshot
  createVolumePermission() []dict
  // ID of the volume used to create the snapshot
  volumeId string
  // Time when the snapshot began
  startTime time
  // Time when the snapshot completed
  completionTime time
  // Tags for the snapshot
  tags map[string]string
  // State of the snapshot: pending, completed, error, recoverable, or recovering
  state string
  // Size of the volume, in GiB
  volumeSize int
  // Description of the snapshot
  description string
  // Whether the snapshot is encrypted
  encrypted bool
  // The storage tier in which the snapshot is stored
  storageTier string
  // KMS key used for snapshot encryption
  kmsKey() aws.kms.key
  // Whether the snapshot is public (shared with all AWS accounts)
  isPublic() bool
}

// Amazon EC2 (EBS) volume
private aws.ec2.volume @defaults("id region volumeType size encrypted state") {
  // ARN for the EC2 volume
  arn string
  // ID of the EC2 volume
  id string
  // Information about the volume attachments
  attachments []dict
  // Whether the volume is encrypted
  encrypted bool
  // State of the volume: creating, available, in-use, and so on
  state string
  // A map of tags associated with the EBS volume
  tags map[string]string
  // Availability Zone in which the volume was created
  availabilityZone string
  // EBS volume type: gp2, gp3, io1, io2, st1, sc1, or standard
  volumeType string
  // Time the volume was created
  createTime time
  // Region where the EC2 volume is stored
  region string
  // Whether Amazon EBS Multi-Attach is enabled
  multiAttachEnabled bool
  // Throughput that the volume supports, in MiB/s.
  throughput int
  // Size of the volume, in GiBs.
  size int
  // Number of I/O operations per second (IOPS). For gp3, io1, and io2 volumes, this represents the number of IOPS that are provisioned for the volume. For gp2 volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.
  iops int
  // KMS key used for volume encryption
  kmsKey() aws.kms.key
  // Server-side encryption type: sse-ebs, sse-kms, or none
  sseType string
}

// Amazon Inspector
aws.inspector {
  // List of coverage results for the AWS account
  coverages() []aws.inspector.coverage
  // List of all findings from Inspector across all regions
  findings() []aws.inspector.finding
}

// Amazon Inspector environment coverage
private aws.inspector.coverage {
  // Account ID for the coverage finding
  accountId string
  // Resource ID for the coverage finding
  resourceId string
  // Resource type, e.g. AWS_EC2_INSTANCE
  resourceType string
  // Time when the coverage finding was last scanned
  lastScannedAt time
  // Reason for the coverage finding status
  statusReason string
  // Code for the coverage finding status
  statusCode string
  // Type of coverage finding
  scanType string
  // Region where it was found
  region string
  // Details about the EC2 instance associated with the finding
  ec2Instance() aws.inspector.coverage.instance
  // Details about the ECR image associated with the finding
  ecrImage() aws.inspector.coverage.image
  // Details about the ECR repo associated with the finding
  ecrRepo() aws.inspector.coverage.repository
  // Details about the Lambda function associated with the finding
  lambda() aws.lambda.function
}

// Amazon Inspector instance coverage group
private aws.inspector.coverage.instance {
  // Platform for the EC2 instance
  platform string
  // Tags associated with the EC2 instance
  tags map[string]string
  // Image associated with the EC2 instance
  image aws.ec2.image
  // Region where the EC2 instance is found
  region string
}

// Amazon Inspector container image coverage group
private aws.inspector.coverage.image {
  // Time when the image was scanned
  imagePulledAt time
  // Tags associated with the image
  tags map[string]string
  // Region where the image is found
  region string
}

// Amazon Inspector container registry coverage group
private aws.inspector.coverage.repository {
  // Name of the ECR repository
  name string
  // Scan frequency of the ECR repo
  scanFrequency string
  // Region where the ECR repo is found
  region string
}

// Amazon Inspector finding
private aws.inspector.finding @defaults("arn severity status type title") {
  // ARN of the finding
  arn string
  // AWS account ID associated with the finding
  accountId string
  // Title of the finding
  title string
  // Description of the finding
  description string
  // Severity: INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL, UNTRIAGED
  severity string
  // Status: ACTIVE, SUPPRESSED, CLOSED
  status string
  // Finding type: NETWORK_REACHABILITY, PACKAGE_VULNERABILITY, CODE_VULNERABILITY
  type string
  // Date/time the finding was first observed
  firstObservedAt time
  // Date/time the finding was last observed
  lastObservedAt time
  // Date/time the finding was last updated
  updatedAt time
  // Amazon Inspector score (0-10)
  inspectorScore float
  // Whether an exploit is available: YES, NO
  exploitAvailable string
  // Whether a fix is available: YES, NO, PARTIAL
  fixAvailable string
  // Region where the finding was discovered
  region string
  // Remediation recommendation text
  remediation() string
  // Remediation recommendation URL
  remediationUrl() string
  // Package vulnerability details (null if type is not PACKAGE_VULNERABILITY)
  packageVulnerability() aws.inspector.finding.packageVulnerability
  // Network reachability details (null if type is not NETWORK_REACHABILITY)
  networkReachability() aws.inspector.finding.networkReachability
  // Code vulnerability details (null if type is not CODE_VULNERABILITY)
  codeVulnerability() aws.inspector.finding.codeVulnerability
}

// Amazon Inspector finding package vulnerability details
private aws.inspector.finding.packageVulnerability @defaults("vulnerabilityId source") {
  // Vulnerability ID (CVE ID, e.g., CVE-2021-44228)
  vulnerabilityId string
  // Source of vulnerability info (e.g., NVD, UBUNTU_CVE)
  source string
  // URL to the source
  sourceUrl string
  // Vendor-assigned severity
  vendorSeverity string
  // Date vendor first published the vulnerability
  vendorCreatedAt time
  // Date vendor last updated the vulnerability
  vendorUpdatedAt time
  // CVSS scores
  cvssScores []aws.inspector.finding.packageVulnerability.cvssScore
  // Reference URLs for more information
  referenceUrls []string
  // Related vulnerability IDs
  relatedVulnerabilities []string
  // Affected packages
  vulnerablePackages []aws.inspector.finding.vulnerablePackage
}

// Amazon Inspector CVSS score
private aws.inspector.finding.packageVulnerability.cvssScore @defaults("baseScore version source") {
  // Base CVSS score
  baseScore float
  // CVSS vector string
  scoringVector string
  // Source of the score (e.g., NVD, SNYK)
  source string
  // CVSS version (e.g., 2.0, 3.0, 3.1)
  version string
}

// Amazon Inspector finding vulnerable package
private aws.inspector.finding.vulnerablePackage @defaults("name version") {
  // Package name
  name string
  // Installed version
  version string
  // Architecture (e.g., x86_64, amd64)
  arch string
  // Epoch
  epoch int
  // Package manager (e.g., OS, BUNDLER, PIP, NPM)
  packageManager string
  // File path of the vulnerable package
  filePath string
  // Version containing the fix (empty if no fix)
  fixedInVersion string
  // Remediation command
  remediation string
  // Release string
  release string
}

// Amazon Inspector finding network reachability details
private aws.inspector.finding.networkReachability @defaults("protocol openPortStart openPortEnd") {
  // Protocol: TCP, UDP
  protocol string
  // Open port range start
  openPortStart int
  // Open port range end
  openPortEnd int
  // Network path steps
  networkPath []dict
}

// Amazon Inspector finding code vulnerability details
private aws.inspector.finding.codeVulnerability @defaults("detectorName") {
  // CWE IDs associated with the vulnerability
  cwes []string
  // CodeGuru detector ID
  detectorId string
  // CodeGuru detector name
  detectorName string
  // Detector tags
  detectorTags []string
  // File path where the vulnerability was found
  filePath dict
  // Reference URLs
  referenceUrls []string
  // Rule ID
  ruleId string
  // Source Lambda layer ARN (if applicable)
  sourceLambdaLayerArn string
}

// Amazon EC2 instance
private aws.ec2.instance @defaults("instanceId region state instanceType architecture platformDetails") {
  // ARN for the instance
  arn string
  // Instance ID for the instance
  instanceId string
  // Whether detailed monitoring is enabled
  detailedMonitoring string
  // Region where the instance exists
  region string
  // Public IP for instance
  publicIp string
  // Amazon Systems Manager information for the instance
  ssm() dict
  // VPC associated with the instance
  vpc() aws.vpc
  // A value of "optional" denotes IMDSv1 server compatibility; "required" denotes IMDSv2
  httpTokens string
  // Status of the IMDS endpoint enabled on the instance
  httpEndpoint string
  // Maximum number of hops for the instance metadata PUT response (1-64); values >1 increase SSRF risk
  httpPutResponseHopLimit int
  // Whether the instance is enabled for AWS Nitro Enclaves
  enclaveEnabled bool
  // Patch state information about the instance
  patchState() dict
  // State of the instance: pending, running, shutting-down, stopping, stopped, or terminated
  state string
  // List of devices attached to the instance (such as EBS volume)
  deviceMappings []aws.ec2.instance.device
  // List of security groups (IDs) associated with the instance
  securityGroups() []aws.ec2.securitygroup
  // Platform details
  platformDetails string
  // Public DNS name for the instance
  publicDnsName string
  // Status of the specified instance
  instanceStatus() dict
  // Reason for the most recent state transition
  stateReason dict
  // Reason for the most recent state transition
  stateTransitionReason string
  // Whether the instance has EBS optimization turned on
  ebsOptimized bool
  // Whether enhanced networking with ENA is enabled
  enaSupported bool
  // Instance type, such as t2.micro
  instanceType string
  // Tags on the instance
  tags map[string]string
  // Instance profile of the instance
  iamInstanceProfile() aws.iam.instanceProfile
  // Image that was used for the instance
  image() aws.ec2.image
  // Deprecated: use `launchedAt` instead
  launchTime time
  // Launch time of the instance
  launchedAt time
  // Private IP address for the instance
  privateIp string
  // Private DNS name for the instance
  privateDnsName string
  // Key pair associated with the instance
  keypair() aws.ec2.keypair
  // Time when the last state transition occurred
  stateTransitionTime time
  // Deprecated: use `vpc` instead
  vpcArn string
  // Hypervisor type of the instance: ovm or xen
  hypervisor string
  // Whether this is a Spot Instance or a Scheduled Instance: spot, scheduled, or capacity-block
  instanceLifecycle string
  // Root device type used by the AMI: ebs or instance-store
  rootDeviceType string
  // Device name of the root device volume, such as /dev/sda1
  rootDeviceName string
  // Architecture of the instance
  architecture string
  // TPM version supported. NitroTPM is enabled if this value is `2.0`
  tpmSupport string
  // List of network interfaces for the instance
  networkInterfaces() []aws.ec2.networkinterface
  // Whether API termination protection is enabled for the instance
  disableApiTermination() bool
  // Boot mode of the instance (undefined, legacy-bios, uefi, uefi-preferred)
  bootMode string
  // Whether source/destination checking is enabled
  sourceDestCheck bool
  // IPv6 address assigned to the instance
  ipv6Address string
  // Number of CPU cores for the instance
  cpuCoreCount int
  // Number of threads per CPU core
  cpuThreadsPerCore int
  // Whether the instance is enabled for hibernation
  hibernationConfigured bool
  // Auto recovery behavior: default or disabled
  maintenanceAutoRecovery string
  // Current boot mode of the instance: undefined, legacy-bios, uefi, or uefi-preferred
  currentInstanceBootMode string
  // Spot Instance request ID, if applicable
  spotInstanceRequestId string
  // Placement information (availability zone, tenancy, host, partition, group)
  placement aws.ec2.instance.placement
  // Virtualization type: hvm or paravirtual
  virtualizationType string
}

// AWS EC2 network interface
private aws.ec2.networkinterface @defaults("id privateIpAddress macAddress") {
  // ID of the network interface
  id string
  // Description of the network interface
  description string
  // Subnet of the network interface
  subnet() aws.vpc.subnet
  // VPC of the network interface
  vpc() aws.vpc
  // Status of the network interface. If the network interface is not attached to an instance, the status is available; if a network interface is attached to an instance the status is in-use
  status string
  // Whether the network interface performs source/destination checking (A value of true means checking is enabled, and false means checking is disabled. The value must be false for the network interface to perform network address translation (NAT) in your VPC.)
  sourceDestCheck bool
  // Whether the network interface is being managed by an AWS service (for example, AWS Management Console, Auto Scaling, and so on)
  requesterManaged bool
  // Tags set on the interface
  tags map[string]string
  // Availability zone of the network interface
  availabilityZone string
  // Security groups associated with the network interface
  securityGroups() []aws.ec2.securitygroup
  // Whether this is an IPv6 only network interface
  ipv6Native bool
  // MAC address of the network interface
  macAddress string
  // Private DNS name of the network interface (IPv4)
  privateDnsName string
  // Private IPv4 address of the network interface
  privateIpAddress string
  // Region where the network interface exists
  region string
}

// Amazon EC2 key pair
private aws.ec2.keypair @defaults("name type region") {
  // ARN of the key pair
  arn string
  // Fingerprint for the key pair
  fingerprint string
  // Name of the key pair
  name string
  // Type of key, such as RSA
  type string
  // Tags for the key pair
  tags map[string]string
  // Region where the key pair exists
  region string
  // Date the keypair was created
  createdAt time
}

// Amazon EC2 image (AMI)
private aws.ec2.image @defaults("ownerAlias id name") {
  // Deprecated: AMIs do not have ARNs. Use `id` instead.
  arn string
  // ID of the image
  id string
  // Name for the image
  name string
  // Architecture associated with the image
  architecture string
  // AWS account ID of the image owner
  ownerId string
  // Alias for the image owner
  ownerAlias string
  // Date the image was created
  createdAt time
  // Date the image was deprecated
  deprecatedAt time
  // Whether enhanced networking with ENA is enabled
  enaSupport bool
  // The supported TPM version. If the image is configured for NitroTPM support, the value is v2.0
  tpmSupport string
  // Whether the AMI requires IMDSv2 (v2.0 means IMDSv2 required; empty means no requirement)
  imdsSupport string
  // Current state of the image (available, pending, failed, etc.)
  state string
  // Whether the image is public
  public bool
  // Root device type (ebs or instance-store)
  rootDeviceType string
  // Virtualization type (hvm or paravirtual)
  virtualizationType string
  // Block device mappings for the image
  blockDeviceMappings []aws.ec2.image.blockDeviceMapping
  // Tags associated with the image
  tags map[string]string
  // Region where the image is located
  region string
  // Launch permissions for the image (user IDs and groups that can launch instances from this AMI)
  launchPermissions() []aws.ec2.image.launchPermission
  // Description of the AMI
  description string
  // Type of image: machine, kernel, or ramdisk
  imageType string
  // Whether the image is eligible for the AWS Free Tier
  freeTierEligible bool
  // Whether the image is allowed by the Allowed AMIs setting
  imageAllowed bool
  // Whether deregistration protection is enabled (disabled, enabled, enabled-with-cooldown)
  deregistrationProtection string
  // Last time the image was used to launch an instance
  lastLaunchedAt time
  // Detailed platform information (e.g., "Red Hat Enterprise Linux 9 (HVM)")
  platformDetails string
  // Boot mode of the image: undefined, legacy-bios, uefi, or uefi-preferred
  bootMode string
  // Root device name (e.g., /dev/sda1)
  rootDeviceName string
  // Source image ID if this AMI was copied from another image
  sourceImageId string
  // Source image region if this AMI was copied from another region
  sourceImageRegion string
}

// Amazon EC2 image launch permission
private aws.ec2.image.launchPermission @defaults("userId group") {
  // AWS account ID that has launch permission
  userId string
  // Group that has launch permission ("all" for public AMIs)
  group string
  // AWS Organization ARN that has launch permission
  organizationArn string
  // AWS Organizational Unit ARN that has launch permission
  organizationalUnitArn string
}

// Amazon EC2 image block device mapping
private aws.ec2.image.blockDeviceMapping @defaults("deviceName") {
  // Device name (e.g., /dev/sda1, /dev/xvda)
  deviceName string
  // Virtual device name for instance store (ephemeral0, ephemeral1, etc.)
  virtualName string
  // Whether to suppress this device mapping
  noDevice bool
  // EBS volume configuration (null for instance store volumes)
  ebs aws.ec2.image.ebsBlockDevice
}

// Amazon EC2 image EBS block device configuration
private aws.ec2.image.ebsBlockDevice @defaults("volumeSize volumeType encrypted") {
  // Whether the volume is encrypted
  encrypted bool
  // ID of the snapshot used to create the volume
  snapshotId string
  // Size of the volume in GiB
  volumeSize int
  // Volume type (gp2, gp3, io1, io2, etc.)
  volumeType string
  // ARN of the KMS key for encryption
  // Deprecated: use kmsKey() instead
  kmsKeyId string
  // KMS key used for encryption
  kmsKey() aws.kms.key
  // IOPS for the volume
  iops int
  // Throughput in MiB/s
  throughput int
  // Whether to delete on instance termination
  deleteOnTermination bool
}

// Amazon EC2 instance block device
private aws.ec2.instance.device @defaults("deviceName volumeId status") {
  // Whether the volume should be deleted on instance termination
  deleteOnTermination bool
  // Status of the device
  status string
  // Volume ID for the device
  volumeId string
  // Name for the device
  deviceName string
}

// Amazon EC2 instance placement information
private aws.ec2.instance.placement @defaults("availabilityZone tenancy groupName") {
  // Availability Zone of the instance
  availabilityZone string
  // ID of the Availability Zone
  availabilityZoneId string
  // Tenancy of the instance: default, dedicated, or host
  tenancy string
  // Name of the placement group
  groupName string
  // ID of the placement group
  groupId string
  // ID of the Dedicated Host
  hostId string
  // ARN of the host resource group
  hostResourceGroupArn string
  // Partition number (valid only for partition placement groups)
  partitionNumber int
  // Affinity setting for the instance on the Dedicated Host
  affinity string
}

// Amazon EC2 security group
private aws.ec2.securitygroup @defaults("id name region vpc.id") {
  // Security group ARN
  arn string
  // Security group ID
  id string
  // Name of the security group
  name string
  // Description of the security group
  description string
  // A map of tags associated with the security group
  tags map[string]string
  // VPC associated with the security group
  vpc() aws.vpc
  // IP permissions (ingress) for the security group
  ipPermissions() []aws.ec2.securitygroup.ippermission
  // IP permissions (egress) for the security group
  ipPermissionsEgress() []aws.ec2.securitygroup.ippermission
  // Region associated with the security group
  region string
  // Whether the security group is attached to Amazon Elastic Compute Cloud
  isAttachedToNetworkInterface() bool
}

// Amazon EC2 security group IP permission
private aws.ec2.securitygroup.ippermission @defaults("id toPort fromPort ipProtocol ipRanges ipv6Ranges") {
  // AWS ID of the security group
  id string
  // Start of port range for TCP/UDP protocols
  fromPort int
  // End of port range for TCP/UDP protocols
  toPort int
  // IP protocol name
  ipProtocol string
  // IPv4 address ranges
  ipRanges []string
  // IPv6 address ranges
  ipv6Ranges []string
  // List of prefix IDs
  prefixListIds []dict
  // List of user ID group pairs
  userIdGroupPairs []dict
}

// AWS Config
aws.config {
  // List of configuration recorders for each region in the account
  recorders() []aws.config.recorder
  // List of AWS Config rules
  rules() []aws.config.rule
  // List of delivery channels for each region in the account
  deliveryChannels() []aws.config.deliverychannel
  // List of configuration aggregators
  aggregators() []aws.config.aggregator
}

// AWS Config rule
private aws.config.rule @defaults("name id region state") {
  // ARN for the config rule
  arn string
  // State of the rule
  state string
  // Rule identifier that causes the function to evaluate resources
  source dict
  // ID of the Config rule
  id string
  // Name that you assigned to the Config rule
  name string
  // Description that provided for the Config rule
  description string
  // Region for the Config rule
  region string
}

// AWS Config recorder
private aws.config.recorder @defaults("name region") {
  // Name of the recorder
  name string
  // Deprecated: Use iamRole instead
  roleArn string
  // IAM role used to describe the AWS resources associated with the account
  iamRole() aws.iam.role
  // Whether the recorder records config changes for every supported type of regional resource
  allSupported bool
  // Whether the recorder records all supported types of global resources
  includeGlobalResourceTypes bool
  // Whether the recorder is currently recording
  recording bool
  // Last (previous) status of the recorder
  lastStatus string
  // Region for the recorder
  region string
  // Whether the recorder records specific resource types
  resourceTypes []string
}

// AWS Config delivery channel
private aws.config.deliverychannel @defaults("name region") {
  // Name of the delivery channel
  name string
  // S3 bucket name where configuration snapshots are delivered
  s3BucketName string
  // Prefix for the S3 bucket where configuration snapshots are delivered
  s3KeyPrefix string
  // ARN of the SNS topic that AWS Config delivers notifications to
  snsTopicARN string
  // Region for the delivery channel
  region string
}

// AWS Config aggregator
private aws.config.aggregator @defaults("name region") {
  // ARN of the configuration aggregator
  arn string
  // Name of the configuration aggregator
  name string
  // Region for the configuration aggregator
  region string
  // Account aggregation sources
  accountAggregationSources []aws.config.aggregator.accountAggregationSource
  // Organization aggregation source
  organizationAggregationSource() aws.config.aggregator.organizationAggregationSource
  // Time the aggregator was created
  createdAt time
  // Time the aggregator was last updated
  lastUpdatedAt time
}

// AWS Config aggregator account aggregation source
private aws.config.aggregator.accountAggregationSource {
  // List of account IDs included in the aggregation
  accountIds []string
  // Whether all AWS regions are included
  allAwsRegions bool
  // List of AWS regions included in the aggregation
  awsRegions []string
}

// AWS Config aggregator organization aggregation source
private aws.config.aggregator.organizationAggregationSource {
  // IAM role used for organization aggregation
  iamRole() aws.iam.role
  // Whether all AWS regions are included
  allAwsRegions bool
  // List of AWS regions included in the aggregation
  awsRegions []string
}

// Amazon Elastic Kubernetes Service (EKS)
aws.eks {
  // EKS clusters
  clusters() []aws.eks.cluster
}

// Amazon EKS managed node group
private aws.eks.nodegroup @defaults("name scalingConfig.DesiredSize diskSize status") {
  // Name for the EKS node group
  name string
  // ARN for the EKS node group
  arn() string
  // Region for the EKS node group
  region string
  // Time when the EKS node group was created
  createdAt() time
  // Time when the EKS node group was last modified
  modifiedAt() time
  // Status for the EKS node group
  status() string
  // Capacity type for the EKS node group (ON_DEMAND, SPOT)
  capacityType() string
  // Scaling configuration for the EKS node group
  scalingConfig() dict
  // Instance types for the EKS node group
  instanceTypes() []string
  // AMI type for the EKS node group
  amiType() string
  // IAM role for the EKS node group
  nodeRole() aws.iam.role
  // Disk size for the EKS node group
  diskSize() int
  // Kubernetes labels applied to the EKS node group
  labels() map[string]string
  // Tags for the EKS node group
  tags()  map[string]string
  // List of autoscaling groups for the node group
  autoscalingGroups() []aws.autoscaling.group
}

// Amazon EKS add-on
private aws.eks.addon @defaults("name addonVersion status") {
  // Add-on name
  name string
  // Amazon Resource Name (ARN) of the add-on
  arn() string
  // Add-on status
  status() string
  // Add-on version
  addonVersion() string
  // Unix epoch timestamp at object creation
  createdAt() time
  // Unix epoch timestamp for the last modification to the object
  modifiedAt() time
  // Tags for the EKS node group
  tags()  map[string]string
  // Add-on publisher
  publisher() string
  // Add-on owner
  owner() string
  // Configuration values that you provided
  configurationValues() string
  // Region where the add-on exists
  region string
}

// Amazon EKS cluster
aws.eks.cluster @defaults("arn version status") {
  // Name of the cluster
  name string
  // ARN of the cluster
  arn string
  // Region for the cluster
  region string
  // A map of tags associated with the cluster
  tags map[string]string
  // Endpoint of Kubernetes API server
  endpoint string
  // Kubernetes server version
  version string
  // Amazon EKS cluster version
  platformVersion string
  // Cluster status
  status string
  // Encryption configuration for the cluster
  encryptionConfig []dict
  // Cluster logging configuration
  logging dict
  // Kubernetes network configuration
  networkConfig dict
  // VPC configuration
  resourcesVpcConfig dict
  // Cluster creation timestamp
  createdAt time
  // List of EKS node groups
  nodeGroups() []aws.eks.nodegroup
  // List of EKS add-ons
  addons() []aws.eks.addon
  // IAM role that provides permissions for the Kubernetes control plane to make calls to Amazon Web Services API operations on your behalf
  iamRole aws.iam.role
  // Kubernetes support policy of the cluster. (`STANDARD` support automatically upgrades at the end of standard support. `EXTENDED` automatically enters extended support at the end of standard support)
  supportType string
  // Cluster authentication mode
  authenticationMode string
  // Whether deletion protection is enabled or not
  deletionProtection bool
  // Whether the Kubernetes API server endpoint is publicly accessible
  endpointPublicAccess bool
  // Whether the Kubernetes API server endpoint is accessible via private VPC endpoint
  endpointPrivateAccess bool
  // CIDR blocks allowed to access the public Kubernetes API endpoint
  publicAccessCidrs []string
}

// Amazon Neptune
aws.neptune @defaults("clusters") {
  // List of database clusters
  clusters() []aws.neptune.cluster
  // List of database instances
  instances() []aws.neptune.instance
}

// Amazon Neptune cluster
private aws.neptune.cluster @defaults("arn name status") {
  // ARN for the cluster
  arn string
  // Name of the cluster
  name string
  // Snapshots for this cluster
  snapshots() []aws.neptune.snapshot
  // User-supplied DB cluster identifier
  clusterIdentifier string
  // User-supplied global database cluster identifier
  globalClusterIdentifier string
  // Name of the database engine
  engine string
  // Database engine version
  engineVersion string
  // Amazon KMS key identifier for the encrypted DB cluster
  // Deprecated: use kmsKey() instead
  kmsKeyId string
  // KMS key used to encrypt the DB cluster
  kmsKey() aws.kms.key
  // Region where the cluster exists
  region string
  // Time when the cluster was created
  automaticRestartTime time
  // List of EC2 Availability Zones
  availabilityZones []string
  // Number of days automatic DB snapshots are retained
  backupRetentionPeriod int
  // Time when the cluster was created
  createdAt time
  // Whether the DB cluster can be cloned across accounts
  crossAccountClone bool
  // DB cluster parameter group for the DB cluster
  clusterParameterGroup string
  // Subnet group associated with the DB cluster
  subnetGroup string
  // Amazon Region-unique, immutable identifier for the DB cluster
  clusterResourceId string
  // Whether the DB cluster has deletion protection enabled
  deletionProtection bool
  // Earliest time to which a database can be restored
  earliestRestorableTime time
  // List of log types that this cluster is configured to export to CloudWatch logs
  enabledCloudwatchLogsExports []string
  // Connection endpoint for the primary instance
  endpoint string
  // Whether mapping of Amazon Identity and Access Management (IAM) accounts to database accounts is enabled
  iamDatabaseAuthenticationEnabled bool
  // Latest time to which a database can be restored
  latestRestorableTime time
  // Username
  masterUsername string
  // Whether the cluster has instances in multiple availability zones
  multiAZ bool
  // Port on which the database engine is listening
  port int
  // Daily time range during which automated backups are created
  preferredBackupWindow string
  // Weekly time range during which system maintenance can occur
  preferredMaintenanceWindow string
  // Status of the cluster
  status string
  // Whether the DB cluster is encrypted
  storageEncrypted bool
  // Storage type
  storageType string
  // List of VPC security groups associated with the DB cluster
  securityGroups() []aws.ec2.securitygroup
}

// Amazon Neptune instance
private aws.neptune.instance @defaults("arn name status"){
  // ARN for the instance
  arn string
  // Name of the instance
  name string
  // User-supplied DB cluster identifier
  clusterIdentifier string
  // Whether minor version patches are applied automatically
  autoMinorVersionUpgrade bool
  // Name of the availability zone
  availabilityZone string
  // Number of days automatic DB snapshots are retained
  backupRetentionPeriod int
  // Name of the compute and memory capacity class
  instanceClass string
  // Status of the instance
  status string
  // Port on which the database engine is listening
  port int
  // Whether the instance has deletion protection enabled
  deletionProtection bool
  // List of log types that this DB instance is configured to export to CloudWatch logs
  enabledCloudwatchLogsExports []string
  // Connection endpoint
  endpoint dict
  // Name of the database engine
  engine string
  // Database engine version
  engineVersion string
  // Amazon CloudWatch Log ARN log stream to which the database writes the audit log
  enhancedMonitoringResourceArn string
  // Whether mapping of Amazon Identity and Access Management (IAM) accounts to database accounts is enabled
  iamDatabaseAuthenticationEnabled bool
  // Time when the cluster was created
  createdAt time
  // Amazon KMS key identifier for the encrypted DB instance
  // Deprecated: use kmsKey() instead
  kmsKeyId string
  // KMS key used to encrypt the DB instance
  kmsKey() aws.kms.key
  // Latest time to which a database can be restored
  latestRestorableTime time
  // Username
  masterUsername string
  // Interval, in seconds, between points when Enhanced Monitoring metrics are collected
  monitoringInterval int
  // ARN for the IAM role that permits Neptune to send Enhanced Monitoring metrics to Amazon CloudWatch Logs
  monitoringRoleArn string
  // Whether the cluster has instances in multiple availability zones
  multiAZ bool
  // Daily time range during which automated backups are created
  preferredBackupWindow string
  // Weekly time range during which system maintenance can occur
  preferredMaintenanceWindow string
  // Order in which a Read Replica is promoted
  promotionTier int
  // Region where the cluster exists
  region string
  // Whether the DB cluster is encrypted
  storageEncrypted bool
  // Storage type
  storageType string
  // Key store with which the instance is associated for TDE encryption
  tdeCredentialArn string
  // Whether the DB instance is publicly accessible
  publiclyAccessible bool
  // ID of the Certificate Authority
  certificateAuthority string
}

// Amazon Neptune DB cluster snapshot
private aws.neptune.snapshot @defaults("arn status createdAt") {
  // Snapshot ARN
  arn string
  // Snapshot identifier
  id string
  // DB cluster identifier
  clusterIdentifier string
  // Database engine name
  engine string
  // Database engine version
  engineVersion string
  // Snapshot status
  status string
  // Snapshot type (manual or automated)
  snapshotType string
  // Port the database engine was listening on at the time of the snapshot
  port int
  // Allocated storage size in gibibytes
  allocatedStorage int
  // Whether the snapshot is encrypted
  storageEncrypted bool
  // Storage type
  storageType string
  // KMS key used for the encrypted snapshot
  kmsKey() aws.kms.key
  // Availability zones for the snapshot
  availabilityZones []string
  // Time the snapshot was taken
  createdAt time
  // Time the DB cluster was created
  clusterCreatedAt time
  // Region where the snapshot exists
  region string
}

// Amazon Cognito
aws.cognito @defaults("userPools") {
  // List of Cognito user pools
  userPools() []aws.cognito.userPool
  // List of Cognito identity pools (federated identities)
  identityPools() []aws.cognito.identityPool
}

// Amazon Cognito user pool
private aws.cognito.userPool @defaults("arn name") {
  // ARN of the user pool
  arn string
  // User pool ID
  id string
  // Name of the user pool
  name string
  // Region of the user pool
  region string
  // Status: Enabled or Disabled
  status string
  // Whether deletion protection is enabled
  deletionProtection() bool
  // MFA configuration: OFF, ON, OPTIONAL
  mfaConfiguration() string
  // Password policy
  passwordPolicy() dict
  // Advanced security mode: OFF, AUDIT, ENFORCED
  advancedSecurityMode() string
  // User pool tags
  tags() map[string]string
  // Date the user pool was created
  createdAt time
  // Date the user pool was last modified
  updatedAt time
}

// Amazon Cognito identity pool (federated identities)
private aws.cognito.identityPool @defaults("id name") {
  // Identity pool ID (format: REGION:GUID)
  id string
  // Name of the identity pool
  name string
  // Region of the identity pool
  region string
  // Whether unauthenticated identities are allowed
  allowUnauthenticatedIdentities() bool
  // Whether the Basic (Classic) authentication flow is enabled
  allowClassicFlow() bool
  // Developer provider name
  developerProviderName() string
  // OpenID Connect provider ARNs
  openIdConnectProviderArns() []string
  // SAML provider ARNs
  samlProviderArns() []string
  // Supported login providers (provider name to app ID mapping)
  supportedLoginProviders() map[string]string
  // Identity pool tags
  tags() map[string]string
}

// Amazon DocumentDB
aws.documentdb @defaults("clusters") {
  // List of DocumentDB clusters
  clusters() []aws.documentdb.cluster
  // List of DocumentDB instances
  instances() []aws.documentdb.instance
  // List of DocumentDB cluster snapshots
  snapshots() []aws.documentdb.snapshot
}

// Amazon DocumentDB cluster
private aws.documentdb.cluster @defaults("arn name status") {
  // ARN for the cluster
  arn string
  // Name of the cluster
  name string
  // User-supplied DB cluster identifier
  clusterIdentifier string
  // Name of the database engine
  engine string
  // Database engine version
  engineVersion string
  // KMS key used to encrypt the DB cluster
  kmsKey() aws.kms.key
  // Region where the cluster exists
  region string
  // List of EC2 Availability Zones
  availabilityZones []string
  // Number of days automatic DB snapshots are retained
  backupRetentionPeriod int
  // Time when the cluster was created
  createdAt time
  // DB cluster parameter group for the DB cluster
  clusterParameterGroup string
  // Subnet group associated with the DB cluster
  subnetGroup string
  // Amazon Region-unique, immutable identifier for the DB cluster
  clusterResourceId string
  // Whether the DB cluster has deletion protection enabled
  deletionProtection bool
  // Earliest time to which a database can be restored
  earliestRestorableTime time
  // List of log types that this cluster is configured to export to CloudWatch logs
  enabledCloudwatchLogsExports []string
  // Connection endpoint for the primary instance
  endpoint string
  // Username
  masterUsername string
  // Whether the cluster has instances in multiple availability zones
  multiAZ bool
  // Port on which the database engine is listening
  port int
  // Daily time range during which automated backups are created
  preferredBackupWindow string
  // Weekly time range during which system maintenance can occur
  preferredMaintenanceWindow string
  // Status of the cluster
  status string
  // Whether the DB cluster is encrypted
  storageEncrypted bool
  // Storage type
  storageType string
  // Tags for the cluster
  tags() map[string]string
  // Snapshots for this cluster
  snapshots() []aws.documentdb.snapshot
  // List of VPC security groups associated with the DB cluster
  securityGroups() []aws.ec2.securitygroup
  // Network type for the cluster (IPV4 or DUAL)
  networkType string
}

// Amazon DocumentDB instance
private aws.documentdb.instance @defaults("arn name status") {
  // ARN for the instance
  arn string
  // Name of the instance
  name string
  // User-supplied DB cluster identifier
  clusterIdentifier string
  // Whether minor version patches are applied automatically
  autoMinorVersionUpgrade bool
  // Name of the availability zone
  availabilityZone string
  // Number of days automatic DB snapshots are retained
  backupRetentionPeriod int
  // Name of the compute and memory capacity class
  instanceClass string
  // Status of the instance
  status string
  // List of log types that this DB instance is configured to export to CloudWatch logs
  enabledCloudwatchLogsExports []string
  // Connection endpoint
  endpoint dict
  // Name of the database engine
  engine string
  // Database engine version
  engineVersion string
  // Time when the instance was created
  createdAt time
  // KMS key used to encrypt the DB instance
  kmsKey() aws.kms.key
  // Daily time range during which automated backups are created
  preferredBackupWindow string
  // Weekly time range during which system maintenance can occur
  preferredMaintenanceWindow string
  // Order in which a Read Replica is promoted
  promotionTier int
  // Region where the instance exists
  region string
  // Whether the DB instance is encrypted
  storageEncrypted bool
  // ID of the Certificate Authority
  certificateAuthority string
  // Tags for the instance
  tags() map[string]string
}

// Amazon DocumentDB cluster snapshot
private aws.documentdb.snapshot @defaults("arn status createdAt") {
  // Snapshot ARN
  arn string
  // Snapshot identifier
  id string
  // DB cluster identifier
  clusterIdentifier string
  // Database engine name
  engine string
  // Database engine version
  engineVersion string
  // Snapshot status
  status string
  // Snapshot type (manual or automated)
  snapshotType string
  // Port the database engine was listening on at the time of the snapshot
  port int
  // Whether the snapshot is encrypted
  storageEncrypted bool
  // Storage type
  storageType string
  // KMS key used for the encrypted snapshot
  kmsKey() aws.kms.key
  // Availability zones for the snapshot
  availabilityZones []string
  // VPC associated with the snapshot
  vpc() aws.vpc
  // Percentage progress of the snapshot
  percentProgress int
  // Time the snapshot was taken
  createdAt time
  // Time the DB cluster was created
  clusterCreatedAt time
  // Region where the snapshot exists
  region string
}

// Amazon Timestream for LiveAnalytics
aws.timestream.liveanalytics @defaults("databases") {
  // List of databases
  databases() []aws.timestream.liveanalytics.database
  // List of database tables
  tables() []aws.timestream.liveanalytics.table
}

// Amazon Timestream for LiveAnalytics database
private aws.timestream.liveanalytics.database @defaults("name region") {
  // ARN for the database
  arn string
  // Name of the database
  name string
  // KMS key used to encrypt the data stored in the database
  // Deprecated: use kmsKey() instead
  kmsKeyId string
  // KMS key used to encrypt the data stored in the database
  kmsKey() aws.kms.key
  // Region where the database exists
  region string
  // Time when the database was created
  createdAt time
  // Time when the database was last updated
  updatedAt time
  // Total number of tables in database
  tableCount int
}

// Amazon Timestream for LiveAnalytics table
private aws.timestream.liveanalytics.table @defaults("name region") {
  // ARN for the table
  arn string
  // Name of the table
  name string
  // Name of the database
  databaseName string
  // Region where the table exists
  region string
  // Time when the table was created
  createdAt time
  // Time when the table was last updated
  updatedAt time
  // Magnetic store properties for the table
  magneticStoreWriteProperties dict
  // Retention duration properties for the table
  retentionProperties dict
}

// AWS CodeDeploy
aws.codedeploy {
  // List of CodeDeploy applications across all enabled regions
  applications() []aws.codedeploy.application
}

// AWS CodeDeploy Application
private aws.codedeploy.application @defaults("applicationName computePlatform createdAt region") {
  // ARN of the application
  arn string
  // ID of the application
  applicationId string
  // Name of the application
  applicationName string
  // Compute platform of the application (Server, Lambda, or ECS)
  computePlatform string
  // Time the application was created
  createdAt time
  // Whether the application is linked to a GitHub account
  linkedToGitHub bool
  // Tags for the application
  tags() map[string]string
  // List of deployment groups for this application
  deploymentGroups() []aws.codedeploy.deploymentGroup
  // List of deployments for this application
  deployments() []aws.codedeploy.deployment
  // Region of the application
  region string
}

// AWS CodeDeploy Deployment Group
private aws.codedeploy.deploymentGroup @defaults("deploymentGroupName computePlatform deploymentGroupId region") {
  // Application name this deployment group belongs to
  applicationName string
  // ARN of the deployment group
  arn string
  // ID of the deployment group
  deploymentGroupId string
  // Name of the deployment group
  deploymentGroupName string
  // Compute platform of the deployment group (Server, Lambda, or ECS)
  computePlatform string
  // Service role ARN for the deployment group
  serviceRoleArn string
  // Target revision for the deployment group (includes type, location, etc.)
  targetRevision() dict
  // Tags for the deployment group
  tags() map[string]string
  // Region of the deployment group
  region string
  // List of deployments for this deployment group
  deployments() []aws.codedeploy.deployment
  // Auto scaling groups associated with the deployment group
  autoScalingGroups() []aws.autoscaling.group
  // EC2 tag filters for the deployment group
  ec2TagFilters() []dict
  // On-premises instance tag filters for the deployment group
  onPremisesInstanceTagFilters() []dict
  // Last successful deployment information
  lastSuccessfulDeployment() aws.codedeploy.deployment
  // Last attempted deployment information
  lastAttemptedDeployment() aws.codedeploy.deployment
  // Deployment style (BLUE_GREEN or IN_PLACE)
  deploymentStyle() dict
  // Blue/green deployment configuration
  blueGreenDeploymentConfiguration() dict
  // Load balancer info
  loadBalancerInfo() dict
}

// AWS CodeDeploy Deployment
private aws.codedeploy.deployment @defaults("deploymentId status applicationName deploymentGroupName createdAt region") {
  // Application name for the deployment
  applicationName string
  // Deployment ID
  deploymentId string
  // ARN of the deployment (Note: Deployments themselves don't have ARNs, this will be a synthetic ID or the deploymentId itself)
  arn string
  // Status of the deployment (Created, Queued, InProgress, Baking, Succeeded, Failed, Stopped, Ready)
  status string
  // Deployment group name
  deploymentGroupName string
  // Deployment configuration name
  deploymentConfigName string
  // Time the deployment was created
  createdAt time
  // Time the deployment was completed
  completedAt time
  // Deprecated. Use `completedAt` instead.
  compleatedAt time
  // Description of the deployment
  description string
  // Creator of the deployment (user, autoscaling, codeDeployRollback, etc.)
  creator string
  // Whether to ignore application stop failures
  ignoreApplicationStopFailures bool
  // Information about the instances targeted by the deployment (complex structure, represented as dict)
  targetInstances() dict
  // Revision information for the deployment (S3 location, GitHub location, etc.)
  revision() dict
  // Region of the deployment
  region string
  // Error information, if any
  errorInformation() dict
  // Deployment overview (counts for Pending, InProgress, Succeeded, Failed, Skipped, Ready)
  deploymentOverview() dict
  // Whether this deployment is a rollback
  isRollback() bool
  // Rollback information if this deployment is a rollback or was rolled back
  rollbackInfo() dict
}

// Amazon WorkDocs
aws.workdocs {
  // List of WorkDocs users across all enabled regions
  users() []aws.workdocs.user
}

// Amazon WorkDocs user
private aws.workdocs.user @defaults("username emailAddress status") {
  // Internal user ID
  id string
  // Username
  username string
  // Email address
  emailAddress string
  // Given (first) name
  givenName string
  // Surname (last name)
  surname string
  // User status: ACTIVE, INACTIVE, or PENDING
  status string
  // User type: USER, ADMIN, POWERUSER, MINIMALUSER, or WORKSPACESUSER
  userType string
  // Time when the user was created
  createdTimestamp time
  // Time when the user was last modified
  modifiedTimestamp time
  // Time zone ID for the user
  timeZoneId string
  // Locale setting for the user
  locale string
  // Organization (directory) ID the user belongs to
  organizationId string
  // Storage allocated to the user in bytes
  storageAllocatedInBytes int
  // Storage used by the user in bytes
  storageUtilizedInBytes int
  // Storage rule type: UNLIMITED or QUOTA
  storageType string
  // ID of the user's recycle bin folder
  recycleBinFolderId string
  // ID of the user's root folder
  rootFolderId string
  // Region where this user exists
  region string
}

// Amazon AppStream 2.0
aws.appstream @defaults("fleets") {
  // List of AppStream fleets across all enabled regions
  fleets() []aws.appstream.fleet
  // List of AppStream stacks across all enabled regions
  stacks() []aws.appstream.stack
  // List of AppStream image builders across all enabled regions
  imageBuilders() []aws.appstream.imageBuilder
}

// Amazon AppStream 2.0 fleet
private aws.appstream.fleet @defaults("name state fleetType region") {
  // ARN of the fleet
  arn string
  // Name of the fleet
  name string
  // Current state of the fleet: STARTING, RUNNING, STOPPING, or STOPPED
  state string
  // Fleet type: ALWAYS_ON, ON_DEMAND, or ELASTIC
  fleetType string
  // Instance type used for fleet instances
  instanceType string
  // Maximum duration of a streaming session in seconds
  maxUserDurationInSeconds int
  // Disconnect timeout in seconds
  disconnectTimeoutInSeconds int
  // Idle disconnect timeout in seconds
  idleDisconnectTimeoutInSeconds int
  // Whether default internet access is enabled
  enableDefaultInternetAccess bool
  // Domain join configuration
  domainJoinInfo dict
  // Maximum number of concurrent sessions for the fleet
  maxConcurrentSessions int
  // Maximum number of user sessions per instance
  maxSessionsPerInstance int
  // VPC configuration (SubnetIds, SecurityGroupIds)
  vpcConfig dict
  // ARN of the IAM role applied to the fleet
  iamRoleArn string
  // Name of the image used to create the fleet
  imageName string
  // ARN of the image used to create the fleet
  imageArn string
  // Operating system platform: WINDOWS, WINDOWS_SERVER_2016, WINDOWS_SERVER_2019, WINDOWS_SERVER_2022, WINDOWS_SERVER_2025, AMAZON_LINUX2, RHEL8, ROCKY_LINUX8, or UBUNTU_PRO_2404
  platform string
  // Time when the fleet was created
  createdAt time
  // Tags associated with the fleet
  tags() map[string]string
  // Region where the fleet exists
  region string
}

// Amazon AppStream 2.0 stack
private aws.appstream.stack @defaults("name region") {
  // ARN of the stack
  arn string
  // Name of the stack
  name string
  // Description of the stack
  description string
  // Time when the stack was created
  createdAt time
  // Access endpoints for the stack
  accessEndpoints []dict
  // Application settings for the stack
  applicationSettings dict
  // Storage connectors for the stack
  storageConnectors []dict
  // User settings for the stack
  userSettings []dict
  // Domains where AppStream streaming sessions can be embedded
  embedHostDomains []string
  // Tags associated with the stack
  tags() map[string]string
  // Region where the stack exists
  region string
}

// Amazon AppStream 2.0 image builder
private aws.appstream.imageBuilder @defaults("name state platform region") {
  // ARN of the image builder
  arn string
  // Name of the image builder
  name string
  // Description of the image builder
  description string
  // Current state of the image builder
  state string
  // Instance type for the image builder
  instanceType string
  // Operating system platform
  platform string
  // ARN of the image used by the image builder
  imageArn string
  // Version of the AppStream agent
  appstreamAgentVersion string
  // Whether default internet access is enabled
  enableDefaultInternetAccess bool
  // Domain join configuration
  domainJoinInfo dict
  // VPC configuration (SubnetIds, SecurityGroupIds)
  vpcConfig dict
  // ARN of the IAM role applied to the image builder
  iamRoleArn string
  // Network access configuration
  networkAccessConfiguration dict
  // Time when the image builder was created
  createdAt time
  // Tags associated with the image builder
  tags() map[string]string
  // Region where the image builder exists
  region string
}

// Amazon Athena
aws.athena @defaults("workgroups") {
  // List of Athena workgroups
  workgroups() []aws.athena.workgroup
  // List of Athena data catalogs
  dataCatalogs() []aws.athena.dataCatalog
  // List of Athena named (saved) queries
  namedQueries() []aws.athena.namedQuery
}

// Amazon Athena workgroup
private aws.athena.workgroup @defaults("name state region") {
  // Name of the workgroup
  name string
  // ARN of the workgroup (synthetic: arn:aws:athena:{region}:{account}:workgroup/{name})
  arn string
  // State of the workgroup: ENABLED or DISABLED
  state string
  // Description of the workgroup
  description string
  // Date and time the workgroup was created
  createdAt time
  // Whether workgroup settings override client-side settings
  enforceWorkGroupConfiguration() bool
  // Whether Amazon CloudWatch metrics are enabled for the workgroup
  publishCloudWatchMetricsEnabled() bool
  // Upper data usage limit for the amount of bytes scanned per query
  bytesScannedCutoffPerQuery() int
  // Whether requester pays is enabled for the workgroup
  requesterPaysEnabled() bool
  // Engine version information
  engineVersion() dict
  // Result configuration (output location and encryption)
  resultConfiguration() dict
  // Region where the workgroup exists
  region string
  // Tags for the workgroup
  tags() map[string]string
}

// Amazon Athena data catalog
private aws.athena.dataCatalog @defaults("name type region") {
  // Name of the data catalog
  name string
  // Type of data catalog: LAMBDA, GLUE, HIVE, or FEDERATED
  type string
  // Description of the data catalog
  description() string
  // Parameters for the data catalog (e.g., Lambda ARN, Glue catalog ID)
  parameters() map[string]string
  // Status of the data catalog: CREATE_IN_PROGRESS, CREATE_COMPLETE, CREATE_FAILED, etc.
  status string
  // Connection type for FEDERATED catalogs
  connectionType string
  // Error message if creation/deletion failed
  error string
  // Region where the data catalog exists
  region string
}

// Amazon Athena named (saved) query
private aws.athena.namedQuery @defaults("name database region") {
  // Unique identifier of the named query
  id string
  // Name of the named query
  name string
  // Database to which the query belongs
  database string
  // SQL query string
  queryString string
  // Description of the named query
  description string
  // Workgroup the named query belongs to
  workGroup string
  // Region where the named query exists
  region string
}

// AWS Directory Service
aws.directoryservice @defaults("directories") {
  // List of directories across all enabled regions
  directories() []aws.directoryservice.directory
}

// AWS Directory Service directory
private aws.directoryservice.directory @defaults("directoryId name type stage region") {
  // Unique identifier of the directory
  directoryId string
  // Fully qualified name of the directory (e.g., corp.example.com)
  name string
  // NetBIOS short name of the directory (e.g., CORP)
  shortName string
  // Description of the directory
  description string
  // Directory type: SimpleAD, ADConnector, MicrosoftAD, or SharedMicrosoftAD
  type string
  // Directory edition: Enterprise, Standard, or Hybrid
  edition string
  // Directory size: Small or Large
  size string
  // Alias for the directory (used in access URL)
  alias string
  // Access URL for the directory (e.g., alias.awsapps.com)
  accessUrl string
  // Current stage of the directory: Active, Creating, Deleted, Deleting, Failed, etc.
  stage string
  // Additional detail about the directory stage
  stageReason string
  // Time when the stage was last updated
  stageLastUpdatedDateTime time
  // Time when the directory was launched
  launchTime time
  // DNS IP addresses of the directory
  dnsIpAddrs []string
  // Whether single sign-on is enabled
  ssoEnabled bool
  // Desired number of domain controllers in the directory
  desiredNumberOfDomainControllers int
  // Operating system version: SERVER_2012 or SERVER_2019
  osVersion string
  // RADIUS MFA configuration status: Creating, Completed, or Failed
  radiusStatus string
  // RADIUS server settings for MFA
  radiusSettings() aws.directoryservice.radiusSettings
  // VPC settings for the directory
  vpcSettings() aws.directoryservice.vpcSettings
  // AD Connector settings for the directory
  connectSettings() aws.directoryservice.connectSettings
  // Owner directory description (for shared directories)
  ownerDirectoryDescription dict
  // Directory sharing method: ORGANIZATIONS or HANDSHAKE
  shareMethod string
  // Directory sharing status
  shareStatus string
  // Notes associated with shared directory
  shareNotes string
  // Tags associated with the directory
  tags() map[string]string
  // Region where the directory exists
  region string
}

// RADIUS server settings for MFA authentication
private aws.directoryservice.radiusSettings @defaults("authenticationProtocol radiusPort") {
  // Authentication protocol: PAP, CHAP, MS-CHAPv1, or MS-CHAPv2
  authenticationProtocol string
  // Display label for the RADIUS endpoint
  displayLabel string
  // Port that the RADIUS server is using
  radiusPort int
  // Maximum number of retries for RADIUS requests
  radiusRetries int
  // RADIUS server addresses
  radiusServers []string
  // Timeout in seconds for RADIUS requests
  radiusTimeout int
  // Whether the same username is used for both directory and RADIUS
  useSameUsername bool
}

// VPC settings for a Directory Service directory
private aws.directoryservice.vpcSettings @defaults("vpcId securityGroupId") {
  // Identifier of the VPC
  vpcId string
  // Identifier of the security group for the directory
  securityGroupId string
  // Identifiers of the subnets for the directory
  subnetIds []string
  // Availability zones of the directory
  availabilityZones []string
}

// AD Connector settings for a Directory Service directory
private aws.directoryservice.connectSettings @defaults("vpcId customerUserName") {
  // Identifier of the VPC
  vpcId string
  // Identifier of the security group for the directory
  securityGroupId string
  // Identifiers of the subnets for the directory
  subnetIds []string
  // Availability zones of the directory
  availabilityZones []string
  // IP addresses of the AD Connector servers
  connectIps []string
  // Username of the service account in the directory
  customerUserName string
}

// Amazon WorkSpaces service
aws.workspaces @defaults("directories") {
  // List of registered workspace directories across all enabled regions
  directories() []aws.workspaces.directory
  // List of all workspace instances across all enabled regions
  instances() []aws.workspaces.workspace
  // List of IP access control groups across all enabled regions
  ipGroups() []aws.workspaces.ipGroup
  // List of workspace images across all enabled regions
  images() []aws.workspaces.image
  // List of workspace bundles across all enabled regions
  bundles() []aws.workspaces.bundle
}

// Amazon WorkSpaces directory
private aws.workspaces.directory @defaults("directoryId directoryName state region") {
  // Directory identifier
  directoryId string
  // Fully qualified directory name
  directoryName string
  // Directory type: SIMPLE_AD, AD_CONNECTOR, CUSTOMER_MANAGED, AWS_IAM_IDENTITY_CENTER
  directoryType string
  // Directory alias
  alias string
  // Directory state
  state string
  // DNS IP addresses
  dnsIpAddresses []string
  // Endpoint encryption mode: STANDARD_TLS or FIPS_VALIDATED
  endpointEncryptionMode string
  // Workspace access properties for device types
  workspaceAccessProperties dict
  // Default workspace creation properties
  defaultCreationProperties dict
  // Certificate-based authentication properties
  certificateBasedAuthProperties dict
  // Associated IP access control group IDs
  ipGroupIds []string
  // Self-service permissions for users
  selfservicePermissions dict
  // IAM role identifier
  iamRoleId string
  // Subnet identifiers
  subnetIds []string
  // Resource tags
  tags() map[string]string
  // AWS region
  region string
}

// Amazon WorkSpaces Web service
aws.workspacesweb @defaults("portals") {
  // List of WorkSpaces Web portals across all enabled regions
  portals() []aws.workspacesweb.portal
  // List of user access logging settings across all enabled regions
  userAccessLoggingSettings() []aws.workspacesweb.userAccessLoggingSetting
}

// Amazon WorkSpaces Web portal
private aws.workspacesweb.portal @defaults("displayName portalStatus region") {
  // Portal ARN
  portalArn string
  // Portal display name
  displayName string
  // Portal endpoint URL
  portalEndpoint string
  // Portal status: Incomplete, Pending, Active
  portalStatus string
  // Authentication type: Standard or IAMIdentityCenter
  authenticationType string
  // Browser type
  browserType string
  // Instance type
  instanceType string
  // Renderer type
  rendererType string
  // Associated browser settings ARN
  browserSettingsArn string
  // Associated network settings ARN
  networkSettingsArn string
  // Associated user settings ARN
  userSettingsArn string
  // Associated trust store ARN
  trustStoreArn string
  // Associated IP access settings ARN
  ipAccessSettingsArn string
  // Associated user access logging settings ARN
  userAccessLoggingSettingsArn string
  // Associated data protection settings ARN
  dataProtectionSettingsArn string
  // Maximum concurrent sessions
  maxConcurrentSessions int
  // Portal creation timestamp
  creationDate time
  // AWS region
  region string
}

// Amazon WorkSpaces workspace instance
private aws.workspaces.workspace @defaults("workspaceId userName state region") {
  // Workspace identifier
  workspaceId string
  // Associated directory ID
  directoryId string
  // User associated with the workspace
  userName string
  // IP address of the workspace
  ipAddress string
  // Computer name
  computerName string
  // Bundle ID used to create the workspace
  bundleId string
  // Subnet ID
  subnetId string
  // State: PENDING, AVAILABLE, IMPAIRED, UNHEALTHY, REBOOTING, etc.
  state string
  // Whether the root volume is encrypted
  rootVolumeEncryptionEnabled bool
  // Whether the user volume is encrypted
  userVolumeEncryptionEnabled bool
  // KMS key ARN for volume encryption
  volumeEncryptionKey string
  // Error code if in error state
  errorCode string
  // Error message if in error state
  errorMessage string
  // Resource tags
  tags() map[string]string
  // Connection state: CONNECTED, DISCONNECTED, UNKNOWN
  connectionState() string
  // Timestamp of the last connection state check
  connectionStateCheckTimestamp() time
  // Timestamp of the last known user connection
  lastKnownUserConnectionTimestamp() time
  // Security groups associated with the workspace network interfaces
  securityGroups() []aws.ec2.securitygroup
  // AWS region
  region string
}

// Amazon WorkSpaces image
private aws.workspaces.image @defaults("imageId name state region") {
  // Image identifier
  imageId string
  // Image name
  name string
  // Image description
  description string
  // Operating system details
  operatingSystem dict
  // State: AVAILABLE, PENDING, ERROR
  state string
  // Image creation timestamp
  created time
  // Account that owns the image
  ownerAccountId string
  // AWS region
  region string
}

// Amazon WorkSpaces bundle
private aws.workspaces.bundle @defaults("bundleId name region") {
  // Bundle identifier
  bundleId string
  // Bundle name
  name string
  // Bundle description
  description string
  // Owner account ID or AMAZON
  owner string
  // Compute type configuration
  computeType dict
  // User storage configuration
  userStorage dict
  // Root storage configuration
  rootStorage dict
  // Bundle state: AVAILABLE, PENDING, ERROR
  state string
  // Bundle type: REGULAR or STANDBY
  bundleType string
  // Associated image ID
  imageId string
  // Bundle creation timestamp
  creationTime time
  // Last update timestamp
  lastUpdatedTime time
  // AWS region
  region string
}

// Amazon WorkSpaces IP access control group
private aws.workspaces.ipGroup @defaults("groupId groupName region") {
  // IP group identifier
  groupId string
  // IP group name
  groupName string
  // IP group description
  groupDesc string
  // IP rules (each has ipRule and ruleDesc)
  userRules []dict
  // AWS region
  region string
}

// Amazon WorkSpaces Web user access logging setting
private aws.workspacesweb.userAccessLoggingSetting @defaults("userAccessLoggingSettingsArn kinesisStreamArn region") {
  // Settings ARN
  userAccessLoggingSettingsArn string
  // Kinesis data stream ARN for logging
  kinesisStreamArn string
  // AWS region
  region string
}

// Amazon Kinesis
aws.kinesis @defaults("streams") {
  // List of Kinesis data streams
  streams() []aws.kinesis.stream
  // List of Kinesis Firehose delivery streams
  firehoseDeliveryStreams() []aws.kinesis.firehoseDeliveryStream
  // List of all enhanced fan-out consumers across all streams
  streamConsumers() []aws.kinesis.streamConsumer
}

// Amazon Kinesis data stream
private aws.kinesis.stream @defaults("name status region") {
  // ARN of the stream
  arn string
  // Name of the stream
  name string
  // Current status of the stream: CREATING, DELETING, ACTIVE, or UPDATING
  status string
  // Encryption type used (NONE or KMS)
  encryptionType() string
  // KMS key ID for encryption
  // Deprecated: use kmsKey() instead
  keyId() string
  // KMS key used for encryption
  kmsKey() aws.kms.key
  // Number of hours data records are accessible after being added to the stream
  retentionPeriodHours() int
  // Number of open shards in the stream
  openShardCount() int
  // Number of enhanced fan-out consumers registered with the stream
  consumerCount() int
  // Stream mode details (ON_DEMAND or PROVISIONED)
  streamModeDetails dict
  // Enhanced monitoring settings
  enhancedMonitoring() []dict
  // Date and time the stream was created
  createdAt time
  // Region where the stream exists
  region string
  // Tags for the stream
  tags() map[string]string
  // Enhanced fan-out consumers registered with the stream
  consumers() []aws.kinesis.streamConsumer
}

// Amazon Kinesis enhanced fan-out stream consumer
private aws.kinesis.streamConsumer @defaults("name status") {
  // ARN of the consumer
  arn string
  // Name of the consumer
  name string
  // Current status of the consumer: CREATING, ACTIVE, or DELETING
  status string
  // Date and time the consumer was created
  createdAt time
  // Stream the consumer is registered with
  stream() aws.kinesis.stream
  // Region where the consumer exists
  region string
}

// Amazon Kinesis Firehose delivery stream
private aws.kinesis.firehoseDeliveryStream @defaults("name status region") {
  // ARN of the delivery stream
  arn string
  // Name of the delivery stream
  name string
  // Current status of the delivery stream: CREATING, CREATING_FAILED, DELETING, DELETING_FAILED, or ACTIVE
  status string
  // Type of the delivery stream (DirectPut or KinesisStreamAsSource)
  deliveryStreamType string
  // Server-side encryption configuration
  encryption dict
  // Source configuration if the stream reads from a Kinesis data stream
  source dict
  // Destinations for the delivery stream
  destinations() []aws.kinesis.firehoseDeliveryStream.destination
  // Date and time the delivery stream was created
  createdAt time
  // Region where the delivery stream exists
  region string
  // Tags for the delivery stream
  tags() map[string]string
}

// Amazon Kinesis Firehose delivery stream destination
private aws.kinesis.firehoseDeliveryStream.destination @defaults("destinationId type") {
  // Destination ID
  destinationId string
  // Type of destination: s3, redshift, elasticsearch, opensearch, splunk, httpEndpoint
  type string
  // Region where the parent delivery stream exists
  region string
  // S3 (Extended) destination configuration (null if not S3 type)
  s3() aws.kinesis.firehoseDeliveryStream.destination.s3
  // Redshift destination configuration (null if not Redshift type)
  redshift() aws.kinesis.firehoseDeliveryStream.destination.redshift
  // Elasticsearch destination configuration (null if not Elasticsearch type)
  elasticsearch() aws.kinesis.firehoseDeliveryStream.destination.elasticsearch
  // OpenSearch Service destination configuration (null if not OpenSearch type)
  opensearch() aws.kinesis.firehoseDeliveryStream.destination.opensearch
  // Splunk destination configuration (null if not Splunk type)
  splunk() aws.kinesis.firehoseDeliveryStream.destination.splunk
  // HTTP endpoint destination configuration (null if not HTTP endpoint type)
  httpEndpoint() aws.kinesis.firehoseDeliveryStream.destination.httpEndpoint
}

// Amazon Kinesis Firehose CloudWatch logging options
private aws.kinesis.firehoseDeliveryStream.cloudWatchLogging @defaults("enabled logGroupName") {
  // Whether CloudWatch logging is enabled
  enabled bool
  // CloudWatch log group name
  logGroupName string
  // CloudWatch log stream name
  logStreamName string
}

// Amazon Kinesis Firehose S3 (Extended) destination
private aws.kinesis.firehoseDeliveryStream.destination.s3 @defaults("bucketArn compressionFormat") {
  // ARN of the S3 bucket
  bucketArn string
  // IAM role for delivery
  iamRole() aws.iam.role
  // Compression format: UNCOMPRESSED, GZIP, ZIP, Snappy, HADOOP_SNAPPY
  compressionFormat string
  // Prefix for delivered S3 objects
  prefix string
  // Prefix for failed records
  errorOutputPrefix string
  // File extension override
  fileExtension string
  // Buffering size in MBs
  bufferingSizeInMBs int
  // Buffering interval in seconds
  bufferingIntervalInSeconds int
  // S3 backup mode: Disabled or Enabled
  s3BackupMode string
  // CloudWatch logging options
  cloudWatchLogging aws.kinesis.firehoseDeliveryStream.cloudWatchLogging
  // Data format conversion configuration
  dataFormatConversion dict
  // Dynamic partitioning configuration
  dynamicPartitioning dict
  // Data processing configuration
  processingConfiguration dict
  // Region
  region string
}

// Amazon Kinesis Firehose Redshift destination
private aws.kinesis.firehoseDeliveryStream.destination.redshift @defaults("clusterJdbcUrl") {
  // Cluster JDBC URL
  clusterJdbcUrl string
  // IAM role for delivery
  iamRole() aws.iam.role
  // Username
  username string
  // COPY command table name
  copyCommandTableName string
  // COPY command options
  copyCommandOptions string
  // S3 backup mode: Disabled or Enabled
  s3BackupMode string
  // CloudWatch logging options
  cloudWatchLogging aws.kinesis.firehoseDeliveryStream.cloudWatchLogging
  // Data processing configuration
  processingConfiguration dict
  // Retry duration in seconds
  retryDurationInSeconds int
  // Region
  region string
}

// Amazon Kinesis Firehose Elasticsearch destination
private aws.kinesis.firehoseDeliveryStream.destination.elasticsearch @defaults("domainArn indexName") {
  // Domain ARN
  domainArn string
  // Cluster endpoint
  clusterEndpoint string
  // Index name
  indexName string
  // Index rotation period: NoRotation, OneHour, OneDay, OneWeek, OneMonth
  indexRotationPeriod string
  // IAM role for delivery
  iamRole() aws.iam.role
  // S3 backup mode: FailedDocumentsOnly or AllDocuments
  s3BackupMode string
  // Buffering size in MBs
  bufferingSizeInMBs int
  // Buffering interval in seconds
  bufferingIntervalInSeconds int
  // CloudWatch logging options
  cloudWatchLogging aws.kinesis.firehoseDeliveryStream.cloudWatchLogging
  // Data processing configuration
  processingConfiguration dict
  // Retry duration in seconds
  retryDurationInSeconds int
  // Region
  region string
}

// Amazon Kinesis Firehose OpenSearch Service destination
private aws.kinesis.firehoseDeliveryStream.destination.opensearch @defaults("domainArn indexName") {
  // Domain ARN
  domainArn string
  // Cluster endpoint
  clusterEndpoint string
  // Index name
  indexName string
  // Index rotation period: NoRotation, OneHour, OneDay, OneWeek, OneMonth
  indexRotationPeriod string
  // IAM role for delivery
  iamRole() aws.iam.role
  // S3 backup mode: FailedDocumentsOnly or AllDocuments
  s3BackupMode string
  // Buffering size in MBs
  bufferingSizeInMBs int
  // Buffering interval in seconds
  bufferingIntervalInSeconds int
  // CloudWatch logging options
  cloudWatchLogging aws.kinesis.firehoseDeliveryStream.cloudWatchLogging
  // Data processing configuration
  processingConfiguration dict
  // Retry duration in seconds
  retryDurationInSeconds int
  // Region
  region string
}

// Amazon Kinesis Firehose Splunk destination
private aws.kinesis.firehoseDeliveryStream.destination.splunk @defaults("hecEndpoint hecEndpointType") {
  // HEC endpoint URL
  hecEndpoint string
  // HEC endpoint type: Raw or Event
  hecEndpointType string
  // HEC acknowledgment timeout in seconds
  hecAcknowledgmentTimeoutInSeconds int
  // S3 backup mode: FailedEventsOnly or AllEvents
  s3BackupMode string
  // Buffering size in MBs
  bufferingSizeInMBs int
  // Buffering interval in seconds
  bufferingIntervalInSeconds int
  // CloudWatch logging options
  cloudWatchLogging aws.kinesis.firehoseDeliveryStream.cloudWatchLogging
  // Data processing configuration
  processingConfiguration dict
  // Retry duration in seconds
  retryDurationInSeconds int
  // Region
  region string
}

// Amazon Kinesis Firehose HTTP endpoint destination
private aws.kinesis.firehoseDeliveryStream.destination.httpEndpoint @defaults("endpointUrl endpointName") {
  // Endpoint URL
  endpointUrl string
  // Endpoint name
  endpointName string
  // IAM role for delivery
  iamRole() aws.iam.role
  // S3 backup mode: FailedDataOnly or AllData
  s3BackupMode string
  // Buffering size in MBs
  bufferingSizeInMBs int
  // Buffering interval in seconds
  bufferingIntervalInSeconds int
  // CloudWatch logging options
  cloudWatchLogging aws.kinesis.firehoseDeliveryStream.cloudWatchLogging
  // Data processing configuration
  processingConfiguration dict
  // Request configuration
  requestConfiguration dict
  // Retry duration in seconds
  retryDurationInSeconds int
  // Region
  region string
}

// Amazon MemoryDB
aws.memorydb @defaults("clusters") {
  // List of MemoryDB clusters
  clusters() []aws.memorydb.cluster
  // List of MemoryDB access control lists
  acls() []aws.memorydb.acl
  // List of MemoryDB users
  users() []aws.memorydb.user
  // List of MemoryDB snapshots
  snapshots() []aws.memorydb.snapshot
  // List of MemoryDB subnet groups
  subnetGroups() []aws.memorydb.subnetGroup
}

// Amazon MemoryDB cluster
private aws.memorydb.cluster @defaults("name status nodeType region") {
  // ARN of the cluster
  arn string
  // Name of the cluster
  name string
  // Description of the cluster
  description string
  // Current status of the cluster: available, creating, deleted, deleting, incompatible-network, modifying, rebooting cluster nodes, restore-failed, or snapshotting
  status string
  // Node type for the nodes in the cluster
  nodeType string
  // Name of the engine used by the cluster
  engine string
  // Version number of the engine used by the cluster
  engineVersion string
  // Engine patch version
  enginePatchVersion string
  // Number of shards in the cluster
  numberOfShards int
  // Whether encryption in transit (TLS) is enabled
  tlsEnabled bool
  // KMS key used for encryption at rest
  kmsKey() aws.kms.key
  // Name of the Access Control List associated with the cluster
  aclName string
  // Name of the parameter group used by the cluster
  parameterGroupName string
  // Name of the subnet group used by the cluster
  subnetGroupName string
  // Number of days for which MemoryDB retains automatic snapshots
  snapshotRetentionLimit int
  // Daily time range during which MemoryDB takes automatic snapshots
  snapshotWindow string
  // Weekly time range during which system maintenance can occur
  maintenanceWindow string
  // Whether the cluster will automatically receive minor engine version upgrades
  autoMinorVersionUpgrade bool
  // Region where the cluster exists
  region string
  // Tags for the cluster
  tags() map[string]string
  // Security groups associated with the cluster
  securityGroups() []aws.ec2.securitygroup
}

// Amazon MemoryDB access control list
private aws.memorydb.acl @defaults("name status") {
  // ARN of the ACL
  arn string
  // Name of the ACL
  name string
  // Current status of the ACL: creating, active, modifying, or deleting
  status string
  // List of user names associated with the ACL
  userNames []string
  // List of cluster names associated with the ACL
  clusters []string
  // Minimum engine version supported by the ACL
  minimumEngineVersion string
  // Region where the ACL exists
  region string
  // Tags for the ACL
  tags() map[string]string
}

// Amazon MemoryDB user
private aws.memorydb.user @defaults("name status") {
  // ARN of the user
  arn string
  // Name of the user
  name string
  // Current status of the user: active, modifying, or deleting
  status string
  // Access permissions string for the user
  accessString string
  // List of ACL names the user belongs to
  aclNames []string
  // Minimum engine version supported by the user
  minimumEngineVersion string
  // Authentication configuration
  authentication dict
  // Region where the user exists
  region string
  // Tags for the user
  tags() map[string]string
}

// Amazon MemoryDB snapshot
private aws.memorydb.snapshot @defaults("name status") {
  // ARN of the snapshot
  arn string
  // Name of the snapshot
  name string
  // Current status of the snapshot: creating, available, restoring, copying, or deleting
  status string
  // Whether the snapshot is from an automatic backup (automated) or was created manually (manual)
  source string
  // KMS key used for the encrypted snapshot
  kmsKey() aws.kms.key
  // Cluster configuration at the time of the snapshot
  clusterConfiguration dict
  // Data tiering status: true or false
  dataTiering string
  // Region where the snapshot exists
  region string
  // Tags for the snapshot
  tags() map[string]string
}

// Amazon MemoryDB subnet group
private aws.memorydb.subnetGroup @defaults("name") {
  // ARN of the subnet group
  arn string
  // Name of the subnet group
  name string
  // Description of the subnet group
  description string
  // VPC in which the subnet group exists
  vpc() aws.vpc
  // Subnets in the subnet group
  subnets() []aws.vpc.subnet
  // Region where the subnet group exists
  region string
  // Tags for the subnet group
  tags() map[string]string
}

// Amazon Timestream for InfluxDB
aws.timestream.influxdb @defaults("instances clusters") {
  // List of InfluxDB instances
  instances() []aws.timestream.influxdb.instance
  // List of InfluxDB clusters
  clusters() []aws.timestream.influxdb.cluster
}

// Amazon Timestream for InfluxDB instance
private aws.timestream.influxdb.instance @defaults("arn name status") {
  // ARN of the DB instance
  arn string
  // Service-generated unique identifier
  id string
  // Customer-supplied name of the DB instance
  name string
  // Amount of storage allocated (GiB)
  allocatedStorage int
  // DB instance type
  dbInstanceType string
  // DB storage type
  dbStorageType string
  // Deployment type: SINGLE_AZ or WITH_MULTIAZ_STANDBY
  deploymentType string
  // Connection endpoint
  endpoint string
  // Network type: IPV4 or DUAL
  networkType string
  // Port for InfluxDB connections
  port int
  // Status of the DB instance
  status string
  // Region of the DB instance
  region string
  // Whether the DB instance has a public IP to facilitate access
  publiclyAccessible() bool
  // VPC subnets associated with the DB instance
  vpcSubnets() []aws.vpc.subnet
  // Security groups associated with the DB instance
  securityGroups() []aws.ec2.securitygroup
  // ARN of the Secrets Manager secret containing InfluxDB auth parameters
  influxAuthParametersSecretArn() string
  // Whether S3 log delivery is enabled
  logDeliveryEnabled() bool
  // S3 bucket name for log delivery
  logDeliveryS3Bucket() string
  // DB parameter group identifier
  dbParameterGroupIdentifier() string
  // Availability Zone of the DB instance
  availabilityZone() string
  // Tags for the DB instance
  tags() map[string]string
}

// Amazon Timestream for InfluxDB cluster
private aws.timestream.influxdb.cluster @defaults("arn name status") {
  // ARN of the DB cluster
  arn string
  // Service-generated unique identifier
  id string
  // Customer-supplied name of the DB cluster
  name string
  // Amount of storage allocated (GiB)
  allocatedStorage int
  // DB instance type used by the cluster
  dbInstanceType string
  // DB storage type
  dbStorageType string
  // Deployment type of the cluster
  deploymentType string
  // Write and read endpoint
  endpoint string
  // Read-only endpoint
  readerEndpoint string
  // Network type: IPV4 or DUAL
  networkType string
  // Port for InfluxDB connections
  port int
  // Status of the DB cluster
  status string
  // Region of the DB cluster
  region string
  // Engine type: INFLUXDB_V2, INFLUXDB_V3_CORE, or INFLUXDB_V3_ENTERPRISE
  engineType string
  // Whether the DB cluster has a public IP to facilitate access
  publiclyAccessible() bool
  // VPC subnets associated with the DB cluster
  vpcSubnets() []aws.vpc.subnet
  // Security groups associated with the DB cluster
  securityGroups() []aws.ec2.securitygroup
  // ARN of the Secrets Manager secret containing InfluxDB auth parameters
  influxAuthParametersSecretArn() string
  // Whether S3 log delivery is enabled
  logDeliveryEnabled() bool
  // S3 bucket name for log delivery
  logDeliveryS3Bucket() string
  // DB parameter group identifier
  dbParameterGroupIdentifier() string
  // Failover mode: AUTOMATIC or NO_FAILOVER
  failoverMode() string
  // Tags for the DB cluster
  tags() map[string]string
}

// AWS Glue
aws.glue @defaults("crawlers") {
  // List of Glue crawlers
  crawlers() []aws.glue.crawler
  // List of Glue ETL jobs
  jobs() []aws.glue.job
  // List of Glue security configurations
  securityConfigurations() []aws.glue.securityConfiguration
  // List of Glue Data Catalog databases
  databases() []aws.glue.database
  // Data Catalog encryption settings per region
  catalogEncryptionSettings() []dict
  // List of Glue workflows
  workflows() []aws.glue.workflow
}

// AWS Glue crawler
private aws.glue.crawler @defaults("name state databaseName region") {
  // Name of the crawler
  name string
  // ARN of the crawler
  arn string
  // IAM role used by the crawler
  role string
  // Name of the database where results are stored
  databaseName string
  // Description of the crawler
  description string
  // Targets for the crawler
  targets dict
  // Schedule for the crawler
  schedule string
  // Classifiers used by the crawler
  classifiers []string
  // Schema change policy
  schemaChangePolicy dict
  // Current state of the crawler: READY, RUNNING, or STOPPING
  state string
  // Configuration for the crawler
  configuration string
  // Security configuration name
  securityConfiguration string
  // Date and time the crawler was created
  createdAt time
  // Date and time the crawler was last updated
  updatedAt time
  // Region where the crawler exists
  region string
  // Tags for the crawler
  tags() map[string]string
}

// AWS Glue ETL job
private aws.glue.job @defaults("name region") {
  // Name of the job
  name string
  // ARN of the job
  arn string
  // Description of the job
  description string
  // IAM role associated with this job
  role string
  // Command that the job runs
  command dict
  // Maximum number of times to retry this job if it fails
  maxRetries int
  // Job timeout in minutes
  timeout int
  // Glue version used by this job
  glueVersion string
  // Number of workers allocated to this job
  numberOfWorkers int
  // Type of predefined worker allocated: Standard, G.1X, G.2X, G.025X
  workerType string
  // Maximum number of concurrent runs allowed for this job
  maxCapacity float
  // Connections used by this job
  connections []string
  // Default arguments for this job
  defaultArguments map[string]string
  // Security configuration name
  securityConfiguration string
  // Execution class of the job: FLEX or STANDARD
  executionClass string
  // Date and time the job was created
  createdAt time
  // Date and time the job was last modified
  updatedAt time
  // Region where the job exists
  region string
  // Tags for the job
  tags() map[string]string
}

// AWS Glue security configuration
private aws.glue.securityConfiguration @defaults("name") {
  // Name of the security configuration
  name string
  // Date and time the security configuration was created
  createdAt time
  // S3 encryption configuration
  s3Encryption dict
  // CloudWatch encryption configuration
  cloudWatchEncryption dict
  // Job bookmarks encryption configuration
  jobBookmarksEncryption dict
  // Region where the security configuration exists
  region string
}

// AWS Glue Data Catalog database
private aws.glue.database @defaults("name region") {
  // Name of the database
  name string
  // ID of the Data Catalog in which the database resides
  catalogId string
  // Description of the database
  description string
  // Location URI of the database
  locationUri string
  // Parameters of the database
  parameters map[string]string
  // Date and time the database was created
  createdAt time
  // Region where the database exists
  region string
  // Tables in the database
  tables() []aws.glue.database.table
}

// AWS Glue Data Catalog database table
private aws.glue.database.table @defaults("name databaseName region") {
  // Name of the table
  name string
  // Name of the database containing this table
  databaseName string
  // ID of the Data Catalog in which the table resides
  catalogId string
  // Description of the table
  description string
  // Owner of the table
  owner string
  // Date and time the table was created
  createdAt time
  // Date and time the table was last updated
  updatedAt time
  // Date and time the table was last accessed
  lastAccessedAt time
  // Retention time for the table (in days)
  retention int
  // Storage descriptor containing column and location information
  storageDescriptor dict
  // Type of the table (EXTERNAL_TABLE, VIRTUAL_VIEW, etc.)
  tableType string
  // Properties associated with the table
  parameters map[string]string
  // Person or entity who created the table
  createdBy string
  // Region where the table exists
  region string
}

// AWS Elastic Beanstalk
aws.elasticbeanstalk @defaults("environments") {
  // List of Elastic Beanstalk applications
  applications() []aws.elasticbeanstalk.application
  // List of Elastic Beanstalk environments
  environments() []aws.elasticbeanstalk.environment
}

// AWS Elastic Beanstalk application
private aws.elasticbeanstalk.application @defaults("arn name") {
  // ARN of the application
  arn string
  // Name of the application
  name string
  // Region of the application
  region string
  // Description of the application
  description string
  // Date the application was created
  createdAt time
  // Date the application was last updated
  updatedAt time
  // Configuration templates for the application
  configurationTemplates []string
  // Application version labels
  versions []string
  // Tags for the application
  tags() map[string]string
}

// AWS Elastic Beanstalk environment
private aws.elasticbeanstalk.environment @defaults("arn name status") {
  // ARN of the environment
  arn string
  // Name of the environment
  name string
  // Region of the environment
  region string
  // Application name the environment belongs to
  applicationName string
  // Description of the environment
  description string
  // Environment ID
  environmentId string
  // Platform ARN
  platformArn string
  // Solution stack name
  solutionStackName string
  // Status: Launching, Updating, Ready, Terminating, Terminated
  status string
  // Health: Green, Yellow, Red, Grey
  health string
  // Health status: Ok, Info, Warning, Degraded, Severe, Suspended, Unknown, NoData
  healthStatus string
  // CNAME of the environment
  cname string
  // Endpoint URL
  endpointUrl string
  // Environment tier (Worker or WebServer)
  tier dict
  // Date the environment was created
  createdAt time
  // Date the environment was last updated
  updatedAt time
  // Version label
  versionLabel string
  // Tags for the environment
  tags() map[string]string
}

// Amazon RDS database proxy
private aws.rds.proxy @defaults("arn name status") {
  // ARN of the DB proxy
  arn string
  // Name of the DB proxy
  name string
  // Region of the DB proxy
  region string
  // Whether debug logging is enabled
  debugLogging bool
  // Endpoint for the DB proxy
  endpoint string
  // Network type of the DB proxy endpoint: IPV4, IPV6, or DUAL
  endpointNetworkType string
  // Database engine family: MYSQL, POSTGRESQL, or SQLSERVER
  engineFamily string
  // Number of seconds a connection can be idle before being dropped
  idleClientTimeout int
  // Whether TLS encryption is required
  requireTLS bool
  // IAM role used to access Secrets Manager
  iamRole() aws.iam.role
  // Current status of the proxy: available, modifying, incompatible-network, insufficient-resource-limits, creating, deleting, suspended, suspending, or reactivating
  status string
  // VPC associated with the DB proxy
  vpc() aws.vpc
  // Security groups associated with the DB proxy
  securityGroups() []aws.ec2.securitygroup
  // Subnets associated with the DB proxy
  subnets() []aws.vpc.subnet
  // Date the proxy was created
  createdAt time
  // Date the proxy was last updated
  updatedAt time
  // Tags for the proxy
  tags() map[string]string
}

// AWS Glue workflow
private aws.glue.workflow @defaults("name region") {
  // Name of the workflow
  name string
  // Region of the workflow
  region string
  // Description of the workflow
  description string
  // Default run properties for the workflow
  defaultRunProperties map[string]string
  // Maximum number of concurrent runs
  maxConcurrentRuns int
  // Date the workflow was created
  createdAt time
  // Date the workflow was last modified
  updatedAt time
  // Tags for the workflow
  tags() map[string]string
}

// Amazon MSK (Managed Streaming for Apache Kafka)
aws.msk @defaults("clusters") {
  // List of MSK clusters
  clusters() []aws.msk.cluster
}

// Amazon MSK cluster
private aws.msk.cluster @defaults("name state clusterType region") {
  // ARN of the cluster
  arn string
  // Name of the cluster
  name string
  // Current state of the cluster: ACTIVE, CREATING, DELETING, FAILED, HEALING, MAINTENANCE, REBOOTING_BROKER, UPDATING
  state string
  // Cluster type: PROVISIONED or SERVERLESS
  clusterType string
  // Region where the cluster is deployed
  region string
  // Current version of the cluster
  currentVersion string
  // Kafka version running on the cluster
  kafkaVersion() string
  // Number of broker nodes
  numberOfBrokerNodes() int
  // Broker instance type
  brokerInstanceType() string
  // Whether encryption in transit between clients and brokers uses TLS, TLS_PLAINTEXT, or PLAINTEXT
  encryptionInTransitClientBroker() string
  // Whether broker-to-broker communication within the cluster is encrypted
  encryptionInTransitInCluster() bool
  // KMS key used for encryption at rest
  kmsKey() aws.kms.key
  // Whether IAM authentication is enabled
  iamAuthEnabled() bool
  // Whether SASL/SCRAM authentication is enabled
  scramAuthEnabled() bool
  // Whether TLS client authentication is enabled
  tlsAuthEnabled() bool
  // Whether public access is enabled
  publicAccess() bool
  // Whether CloudWatch logging is enabled for broker logs
  cloudwatchLogsEnabled() bool
  // CloudWatch log group for broker logs
  cloudwatchLogsGroup() string
  // Whether S3 logging is enabled for broker logs
  s3LogsEnabled() bool
  // S3 bucket for broker logs
  s3LogsBucket() string
  // Whether Firehose logging is enabled for broker logs
  firehoseLogsEnabled() bool
  // Enhanced monitoring level: DEFAULT, PER_BROKER, PER_TOPIC_PER_BROKER, PER_TOPIC_PER_PARTITION
  enhancedMonitoring() string
  // Whether JMX exporter is enabled for Prometheus
  jmxExporterEnabled() bool
  // Whether Node exporter is enabled for Prometheus
  nodeExporterEnabled() bool
  // Subnets where brokers are deployed
  subnets() []aws.vpc.subnet
  // Security groups attached to the cluster
  securityGroups() []aws.ec2.securitygroup
  // Date the cluster was created
  createdAt time
  // Tags for the cluster
  tags map[string]string
}

// Amazon MQ
aws.mq @defaults("brokers") {
  // List of MQ brokers
  brokers() []aws.mq.broker
}

// Amazon MQ message broker
private aws.mq.broker @defaults("name engineType deploymentMode state region") {
  // ARN of the broker
  arn string
  // Unique ID of the broker
  brokerId string
  // Name of the broker
  name string
  // Current state of the broker: CREATION_IN_PROGRESS, RUNNING, REBOOT_IN_PROGRESS, CREATION_FAILED, DELETION_IN_PROGRESS, CRITICAL_ACTION_REQUIRED
  state string
  // Engine type: ACTIVEMQ or RABBITMQ
  engineType string
  // Engine version
  engineVersion() string
  // Deployment mode: SINGLE_INSTANCE, ACTIVE_STANDBY_MULTI_AZ, or CLUSTER_MULTI_AZ
  deploymentMode string
  // Host instance type
  hostInstanceType string
  // Region where the broker is deployed
  region string
  // Whether the broker has a public endpoint
  publiclyAccessible() bool
  // Authentication strategy: SIMPLE, LDAP, or CONFIG_MANAGED
  authenticationStrategy() string
  // Whether the broker uses an AWS-owned KMS key for encryption at rest
  useAwsOwnedKey() bool
  // KMS key used for encryption at rest
  kmsKey() aws.kms.key
  // Whether general logging is enabled
  generalLogsEnabled() bool
  // Whether audit logging is enabled (ActiveMQ only)
  auditLogsEnabled() bool
  // Whether automatic minor version upgrades are enabled
  autoMinorVersionUpgrade() bool
  // Storage type: EBS or EFS
  storageType() string
  // Subnets where the broker is deployed
  subnets() []aws.vpc.subnet
  // Security groups attached to the broker
  securityGroups() []aws.ec2.securitygroup
  // Date the broker was created
  createdAt time
  // Tags for the broker
  tags() map[string]string
}

// AWS Batch
aws.batch @defaults("computeEnvironments") {
  // List of Batch compute environments
  computeEnvironments() []aws.batch.computeEnvironment
  // List of Batch job queues
  jobQueues() []aws.batch.jobQueue
  // List of Batch job definitions
  jobDefinitions() []aws.batch.jobDefinition
}

// AWS Batch compute environment
private aws.batch.computeEnvironment @defaults("arn name state status") {
  // ARN of the compute environment
  arn string
  // Name of the compute environment
  name string
  // Region of the compute environment
  region string
  // State: ENABLED or DISABLED
  state string
  // Status: CREATING, UPDATING, DELETING, DELETED, VALID, INVALID
  status string
  // Status reason
  statusReason string
  // Type: MANAGED or UNMANAGED
  type string
  // Container orchestration type: ECS or EKS
  containerOrchestrationType string
  // ECS cluster associated with the compute environment
  ecsCluster() aws.ecs.cluster
  // Maximum vCPUs for compute resources
  maxVcpus() int
  // Minimum vCPUs for compute resources
  minVcpus() int
  // Desired vCPUs for compute resources
  desiredVcpus() int
  // Compute resource type: EC2, SPOT, FARGATE, or FARGATE_SPOT
  computeResourceType() string
  // Instance types used by the compute environment
  instanceTypes() []string
  // Allocation strategy: BEST_FIT, BEST_FIT_PROGRESSIVE, SPOT_CAPACITY_OPTIMIZED, SPOT_PRICE_CAPACITY_OPTIMIZED
  allocationStrategy() string
  // Subnets for the compute resources
  subnets() []aws.vpc.subnet
  // Security groups for the compute resources
  securityGroups() []aws.ec2.securitygroup
  // IAM role for the compute environment
  iamRole() aws.iam.role
  // Tags for the compute environment
  tags map[string]string
}

// AWS Batch job queue
private aws.batch.jobQueue @defaults("arn name state status") {
  // ARN of the job queue
  arn string
  // Name of the job queue
  name string
  // Region of the job queue
  region string
  // State: ENABLED or DISABLED
  state string
  // Status: CREATING, UPDATING, DELETING, DELETED, VALID, INVALID
  status string
  // Status reason
  statusReason string
  // Priority of the job queue (lower is higher priority)
  priority int
  // Compute environments attached to this queue (ordered by priority)
  computeEnvironmentOrder() []dict
  // Tags for the job queue
  tags map[string]string
}

// AWS Batch job definition
private aws.batch.jobDefinition @defaults("arn name type status") {
  // ARN of the job definition
  arn string
  // Name of the job definition
  name string
  // Region of the job definition
  region string
  // Revision number
  revision int
  // Type: container, multinode
  type string
  // Status: ACTIVE or INACTIVE
  status string
  // Container properties
  containerProperties() dict
  // Node properties for multi-node jobs
  nodeProperties() dict
  // Retry strategy
  retryStrategy() dict
  // Timeout configuration
  timeout() dict
  // Tags for the job definition
  tags map[string]string
}

// Amazon Lightsail
aws.lightsail @defaults("instances") {
  // List of Lightsail instances
  instances() []aws.lightsail.instance
  // List of Lightsail databases
  databases() []aws.lightsail.database
  // List of Lightsail load balancers
  loadBalancers() []aws.lightsail.loadBalancer
  // List of Lightsail buckets
  buckets() []aws.lightsail.bucket
}

// Amazon Lightsail instance
private aws.lightsail.instance @defaults("name arn state") {
  // Name of the instance
  name string
  // ARN of the instance
  arn string
  // Region of the instance
  region string
  // Availability zone
  availabilityZone string
  // Blueprint ID (e.g., amazon_linux_2, ubuntu_20_04)
  blueprintId string
  // Blueprint name
  blueprintName string
  // Bundle ID (e.g., nano_3_0, micro_3_0)
  bundleId string
  // Instance state (running, stopped, pending, stopping)
  state string
  // Public IP address
  publicIpAddress string
  // Private IP address
  privateIpAddress string
  // IPv6 addresses
  ipv6Addresses []string
  // Whether the instance has a static IP
  isStaticIp bool
  // CPU count
  cpuCount() int
  // RAM size in GB
  ramSizeInGb() float
  // Username for SSH access
  username string
  // SSH key name
  sshKeyName string
  // Date the instance was created
  createdAt time
  // Tags for the instance
  tags map[string]string
  // Firewall rules (open ports, CIDRs, protocols)
  firewallRules() []dict
}

// Amazon Lightsail relational database
private aws.lightsail.database @defaults("name arn state") {
  // Name of the database
  name string
  // ARN of the database
  arn string
  // Region of the database
  region string
  // Availability zone
  availabilityZone string
  // Database engine (mysql or postgres)
  engine string
  // Database engine version
  engineVersion string
  // State of the database
  state string
  // Master username
  masterUsername string
  // Master database name
  masterDatabaseName string
  // Whether backup retention is enabled
  backupRetentionEnabled bool
  // Preferred backup window
  preferredBackupWindow string
  // Preferred maintenance window
  preferredMaintenanceWindow string
  // Whether the database is publicly accessible
  publiclyAccessible bool
  // Endpoint address
  endpointAddress() string
  // Endpoint port
  endpointPort() int
  // CA certificate identifier
  caCertificateIdentifier string
  // Whether pending modified values exist
  hasPendingModifiedValues() bool
  // Date the database was created
  createdAt time
  // Tags for the database
  tags map[string]string
}

// Amazon Lightsail load balancer
private aws.lightsail.loadBalancer @defaults("name arn state") {
  // Name of the load balancer
  name string
  // ARN of the load balancer
  arn string
  // Region of the load balancer
  region string
  // Availability zones
  availabilityZones []string
  // State: active, provisioning, active_impaired, failed, unknown
  state string
  // Protocol: HTTP_HTTPS or HTTP
  protocol string
  // Public ports
  publicPorts []int
  // Health check path
  healthCheckPath string
  // Instance port
  instancePort int
  // Instance health summary
  instanceHealthSummary() []dict
  // TLS certificate summaries
  tlsCertificateSummaries() []dict
  // Whether HTTPS redirection is enabled
  httpsRedirectionEnabled() bool
  // DNS name
  dnsName string
  // Date the load balancer was created
  createdAt time
  // Tags for the load balancer
  tags map[string]string
}

// Amazon Lightsail bucket
private aws.lightsail.bucket @defaults("name arn") {
  // Name of the bucket
  name string
  // ARN of the bucket
  arn string
  // Region of the bucket
  region string
  // Bundle ID (storage plan)
  bundleId string
  // State of the bucket
  state string
  // Object versioning state: Enabled, Suspended, NeverEnabled
  objectVersioning string
  // Whether the bucket's bundle can be updated to a different storage plan
  ableToUpdateBundle bool
  // URL of the bucket
  url string
  // Access rules for the bucket
  accessRules() dict
  // AWS account IDs with read-only access to the bucket
  readonlyAccessAccounts []string
  // Lightsail resources that have access to the bucket
  resourcesReceivingAccess() []dict
  // Date the bucket was created
  createdAt time
  // Tags for the bucket
  tags map[string]string
}

// AWS CloudFormation
aws.cloudformation @defaults("stacks") {
  // List of CloudFormation stacks
  stacks() []aws.cloudformation.stack
  // List of CloudFormation stack sets
  stackSets() []aws.cloudformation.stackSet
}

// AWS CloudFormation stack
private aws.cloudformation.stack @defaults("name status") {
  // Unique ID of the stack
  stackId string
  // Name of the stack
  name string
  // Region of the stack
  region string
  // Current status of the stack
  status string
  // Reason for the current status
  statusReason string
  // Description of the stack
  description string
  // Whether termination protection is enabled
  enableTerminationProtection bool
  // Stack capabilities (e.g., CAPABILITY_IAM, CAPABILITY_NAMED_IAM)
  capabilities []string
  // SNS topics for stack notification
  notificationTopics() []aws.sns.topic
  // Drift detection status: DRIFTED, IN_SYNC, NOT_CHECKED, UNKNOWN
  driftStatus string
  // IAM role used to create/update the stack
  iamRole() aws.iam.role
  // Stack parameters
  parameters() []dict
  // Stack outputs
  outputs() []dict
  // Stack tags
  tags map[string]string
  // Date the stack was created
  createdAt time
  // Date the stack was last updated
  updatedAt time
}

// AWS CloudFormation stack set
private aws.cloudformation.stackSet @defaults("name status") {
  // Unique ID of the stack set
  stackSetId string
  // Name of the stack set
  name string
  // Region of the stack set
  region string
  // Status: ACTIVE or DELETED
  status string
  // Description of the stack set
  description string
  // Permission model: SERVICE_MANAGED or SELF_MANAGED
  permissionModel string
  // Drift detection status
  driftStatus string
  // Whether auto deployment is enabled
  autoDeploymentEnabled() bool
  // Tags for the stack set
  tags() map[string]string
}