agent-claw: automated task changes

cdk/node_modules/aws-cdk-lib/custom-resources/.jsiirc.json

@@ -0,0 +1,13 @@
+{
+  "targets": {
+    "java": {
+      "package": "software.amazon.awscdk.customresources"
+    },
+    "dotnet": {
+      "namespace": "Amazon.CDK.CustomResources"
+    },
+    "python": {
+      "module": "aws_cdk.custom_resources"
+    }
+  }
+}

cdk/node_modules/aws-cdk-lib/custom-resources/index.d.ts

@@ -0,0 +1 @@
+export * from './lib';

cdk/node_modules/aws-cdk-lib/custom-resources/lib/aws-custom-resource/aws-custom-resource.d.ts

@@ -0,0 +1,429 @@
+import { Construct } from 'constructs';
+import { Logging } from './logging';
+import type * as ec2 from '../../../aws-ec2';
+import * as iam from '../../../aws-iam';
+import type * as logs from '../../../aws-logs';
+import * as cdk from '../../../core';
+/**
+ * Reference to the physical resource id that can be passed to the AWS operation as a parameter.
+ */
+export declare class PhysicalResourceIdReference implements cdk.IResolvable {
+    readonly creationStack: string[];
+    /**
+     * toJSON serialization to replace `PhysicalResourceIdReference` with a magic string.
+     */
+    toJSON(): string;
+    resolve(_context: cdk.IResolveContext): any;
+    toString(): string;
+}
+/**
+ * Physical ID of the custom resource.
+ */
+export declare class PhysicalResourceId {
+    readonly responsePath?: string | undefined;
+    readonly id?: string | undefined;
+    /**
+     * Extract the physical resource id from the path (dot notation) to the data in the API call response.
+     */
+    static fromResponse(responsePath: string): PhysicalResourceId;
+    /**
+     * Explicit physical resource id.
+     */
+    static of(id: string): PhysicalResourceId;
+    /**
+     * @param responsePath Path to a response data element to be used as the physical id.
+     * @param id Literal string to be used as the physical id.
+     */
+    private constructor();
+}
+/**
+ * An AWS SDK call.
+ *
+ * @example
+ *
+ *    new cr.AwsCustomResource(this, 'GetParameterCustomResource', {
+ *      onUpdate: { // will also be called for a CREATE event
+ *        service: 'SSM',
+ *        action: 'getParameter',
+ *        parameters: {
+ *          Name: 'my-parameter',
+ *          WithDecryption: true,
+ *        },
+ *        physicalResourceId: cr.PhysicalResourceId.fromResponse('Parameter.ARN'),
+ *      },
+ *      policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
+ *        resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
+ *      }),
+ *    });
+ *
+ */
+export interface AwsSdkCall {
+    /**
+     * The service to call
+     *
+     * This is the name of an AWS service, in one of the following forms:
+     *
+     * - An AWS SDK for JavaScript v3 package name (`@aws-sdk/client-api-gateway`)
+     * - An AWS SDK for JavaScript v3 client name (`api-gateway`)
+     * - An AWS SDK for JavaScript v2 constructor name (`APIGateway`)
+     * - A lowercase AWS SDK for JavaScript v2 constructor name (`apigateway`)
+     *
+     * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/index.html
+     */
+    readonly service: string;
+    /**
+     * The service action to call
+     *
+     * This is the name of an AWS API call, in one of the following forms:
+     *
+     * - An API call name as found in the API Reference documentation (`GetObject`)
+     * - The API call name starting with a lowercase letter (`getObject`)
+     * - The AWS SDK for JavaScript v3 command class name (`GetObjectCommand`)
+     *
+     * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/index.html
+     */
+    readonly action: string;
+    /**
+     * The parameters for the service action
+     *
+     * @default - no parameters
+     * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/index.html
+     */
+    readonly parameters?: any;
+    /**
+     * The physical resource id of the custom resource for this call.
+     * Mandatory for onCreate call.
+     * In onUpdate, you can omit this to passthrough it from request.
+     *
+     * @default - no physical resource id
+     */
+    readonly physicalResourceId?: PhysicalResourceId;
+    /**
+     * The regex pattern to use to catch API errors. The `code` property of the
+     * `Error` object will be tested against this pattern. If there is a match an
+     * error will not be thrown.
+     *
+     * @default - do not catch errors
+     */
+    readonly ignoreErrorCodesMatching?: string;
+    /**
+     * API version to use for the service
+     *
+     * @see https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/locking-api-versions.html
+     * @default - use latest available API version
+     */
+    readonly apiVersion?: string;
+    /**
+     * The region to send service requests to.
+     * **Note: Cross-region operations are generally considered an anti-pattern.**
+     * **Consider first deploying a stack in that region.**
+     *
+     * @default - the region where this custom resource is deployed
+     */
+    readonly region?: string;
+    /**
+     * Restrict the data returned by the custom resource to specific paths in
+     * the API response. Use this to limit the data returned by the custom
+     * resource if working with API calls that could potentially result in custom
+     * response objects exceeding the hard limit of 4096 bytes.
+     *
+     * Example for ECS / updateService: ['service.deploymentConfiguration.maximumPercent']
+     *
+     * @default - return all data
+     */
+    readonly outputPaths?: string[];
+    /**
+     * Used for running the SDK calls in underlying lambda with a different role.
+     * Can be used primarily for cross-account requests to for example connect
+     * hostedzone with a shared vpc.
+     * Region controls where assumeRole call is made.
+     *
+     * Example for Route53 / associateVPCWithHostedZone
+     *
+     * @default - run without assuming role
+     */
+    readonly assumedRoleArn?: string;
+    /**
+     * External ID to use when assuming the role for cross-account requests.
+     * This is an additional security measure that helps prevent the "confused deputy"
+     * problem where an entity that doesn't have permission to perform an action
+     * can coerce a more-privileged entity to perform the action.
+     *
+     * The external ID must be provided by the third-party service and should not
+     * be generated by you. This value should be unique among the third-party
+     * service's customers.
+     *
+     * This property is only used when `assumedRoleArn` is specified.
+     *
+     * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
+     * @default - no external ID
+     */
+    readonly externalId?: string;
+    /**
+     * A property used to configure logging during lambda function execution.
+     *
+     * Note: The default Logging configuration is all. This configuration will enable logging on all logged data
+     * in the lambda handler. This includes:
+     *  - The event object that is received by the lambda handler
+     *  - The response received after making a API call
+     *  - The response object that the lambda handler will return
+     *  - SDK versioning information
+     *  - Caught and uncaught errors
+     *
+     * @default Logging.all()
+     */
+    readonly logging?: Logging;
+}
+/**
+ * Options for the auto-generation of policies based on the configured SDK calls.
+ */
+export interface SdkCallsPolicyOptions {
+    /**
+     * The resources that the calls will have access to.
+     *
+     * It is best to use specific resource ARN's when possible. However, you can also use `AwsCustomResourcePolicy.ANY_RESOURCE`
+     * to allow access to all resources. For example, when `onCreate` is used to create a resource which you don't
+     * know the physical name of in advance.
+     *
+     * Note that will apply to ALL SDK calls.
+     */
+    readonly resources: string[];
+}
+/**
+ * The IAM Policy that will be applied to the different calls.
+ */
+export declare class AwsCustomResourcePolicy {
+    readonly statements: iam.PolicyStatement[];
+    readonly resources?: string[] | undefined;
+    /**
+     * Use this constant to configure access to any resource.
+     */
+    static readonly ANY_RESOURCE: string[];
+    /**
+     * Explicit IAM Policy Statements.
+     *
+     * @param statements the statements to propagate to the SDK calls.
+     */
+    static fromStatements(statements: iam.PolicyStatement[]): AwsCustomResourcePolicy;
+    /**
+     * Generate IAM Policy Statements from the configured SDK calls.
+     *
+     * Each SDK call with be translated to an IAM Policy Statement in the form of: `call.service:call.action` (e.g `s3:PutObject`).
+     *
+     * This policy generator assumes the IAM policy name has the same name as the API
+     * call. This is true in 99% of cases, but there are exceptions (for example,
+     * S3's `PutBucketLifecycleConfiguration` requires
+     * `s3:PutLifecycleConfiguration` permissions, Lambda's `Invoke` requires
+     * `lambda:InvokeFunction` permissions). Use `fromStatements` if you want to
+     * do a call that requires different IAM action names.
+     *
+     * @param options options for the policy generation
+     */
+    static fromSdkCalls(options: SdkCallsPolicyOptions): AwsCustomResourcePolicy;
+    /**
+     * @param statements statements for explicit policy.
+     * @param resources resources for auto-generated from SDK calls.
+     */
+    private constructor();
+}
+/**
+ * Properties for AwsCustomResource.
+ *
+ * Note that at least onCreate, onUpdate or onDelete must be specified.
+ */
+export interface AwsCustomResourceProps {
+    /**
+     * Cloudformation Resource type.
+     *
+     * @default - Custom::AWS
+     */
+    readonly resourceType?: string;
+    /**
+     * The AWS SDK call to make when the resource is created.
+     *
+     * @default - the call when the resource is updated
+     */
+    readonly onCreate?: AwsSdkCall;
+    /**
+     * The AWS SDK call to make when the resource is updated
+     *
+     * @default - no call
+     */
+    readonly onUpdate?: AwsSdkCall;
+    /**
+     * The AWS SDK call to make when the resource is deleted
+     *
+     * @default - no call
+     */
+    readonly onDelete?: AwsSdkCall;
+    /**
+     * The policy that will be added to the execution role of the Lambda
+     * function implementing this custom resource provider.
+     *
+     * The custom resource also implements `iam.IGrantable`, making it possible
+     * to use the `grantXxx()` methods.
+     *
+     * As this custom resource uses a singleton Lambda function, it's important
+     * to note the that function's role will eventually accumulate the
+     * permissions/grants from all resources.
+     *
+     * Note that a policy must be specified if `role` is not provided, as
+     * by default a new role is created which requires policy changes to access
+     * resources.
+     *
+     * @default - no policy added
+     *
+     * @see Policy.fromStatements
+     * @see Policy.fromSdkCalls
+     */
+    readonly policy?: AwsCustomResourcePolicy;
+    /**
+     * The execution role for the singleton Lambda function implementing this custom
+     * resource provider. This role will apply to all `AwsCustomResource`
+     * instances in the stack. The role must be assumable by the
+     * `lambda.amazonaws.com` service principal.
+     *
+     * @default - a new role is created
+     */
+    readonly role?: iam.IRole;
+    /**
+     * The timeout for the singleton Lambda function implementing this custom resource.
+     *
+     * @default Duration.minutes(2)
+     */
+    readonly timeout?: cdk.Duration;
+    /**
+     * The memory size for the singleton Lambda function implementing this custom resource.
+     *
+     * @default 512 mega in case if installLatestAwsSdk is false.
+     */
+    readonly memorySize?: number;
+    /**
+     * The number of days log events of the singleton Lambda function implementing
+     * this custom resource are kept in CloudWatch Logs.
+     *
+     * This is a legacy API and we strongly recommend you migrate to `logGroup` if you can.
+     * `logGroup` allows you to create a fully customizable log group and instruct the Lambda function to send logs to it.
+     *
+     * @default logs.RetentionDays.INFINITE
+     */
+    readonly logRetention?: logs.RetentionDays;
+    /**
+     * The Log Group used for logging of events emitted by the custom resource's lambda function.
+     *
+     * Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16.
+     * If you are deploying to another type of region, please check regional availability first.
+     *
+     * @default - a default log group created by AWS Lambda
+     */
+    readonly logGroup?: logs.ILogGroupRef;
+    /**
+     * Whether to install the latest AWS SDK v3.
+     *
+     * If not specified, this uses whatever JavaScript SDK version is the default in
+     * AWS Lambda at the time of execution.
+     *
+     * Otherwise, installs the latest version from 'npmjs.com'. The installation takes
+     * around 60 seconds and requires internet connectivity.
+     *
+     * The default can be controlled using the context key
+     * `@aws-cdk/customresources:installLatestAwsSdkDefault` is.
+     *
+     * @default - The value of `@aws-cdk/customresources:installLatestAwsSdkDefault`, otherwise `true`
+     */
+    readonly installLatestAwsSdk?: boolean;
+    /**
+     * A name for the singleton Lambda function implementing this custom resource.
+     * The function name will remain the same after the first AwsCustomResource is created in a stack.
+     *
+     * @default - AWS CloudFormation generates a unique physical ID and uses that
+     * ID for the function's name. For more information, see Name Type.
+     */
+    readonly functionName?: string;
+    /**
+     * The policy to apply when this resource is removed from the application.
+     *
+     * @default cdk.RemovalPolicy.Destroy
+     */
+    readonly removalPolicy?: cdk.RemovalPolicy;
+    /**
+     * The vpc to provision the lambda function in.
+     *
+     * @default - the function is not provisioned inside a vpc.
+     */
+    readonly vpc?: ec2.IVpc;
+    /**
+     * Which subnets from the VPC to place the lambda function in.
+     *
+     * Only used if 'vpc' is supplied. Note: internet access for Lambdas
+     * requires a NAT gateway, so picking Public subnets is not allowed.
+     *
+     * @default - the Vpc default strategy if not specified
+     */
+    readonly vpcSubnets?: ec2.SubnetSelection;
+    /**
+     * The maximum time that can elapse before a custom resource operation times out.
+     *
+     * You should not need to set this property. It is intended to allow quick turnaround
+     * even if the implementor of the custom resource forgets to include a `try/catch`.
+     * We have included the `try/catch`, and AWS service calls usually do not take an hour
+     * to complete.
+     *
+     * The value must be between 1 second and 3600 seconds.
+     *
+     * @default Duration.seconds(3600)
+     */
+    readonly serviceTimeout?: cdk.Duration;
+}
+/**
+ * Defines a custom resource that is materialized using specific AWS API calls. These calls are created using
+ * a singleton Lambda function.
+ *
+ * Use this to bridge any gap that might exist in the CloudFormation Coverage.
+ * You can specify exactly which calls are invoked for the 'CREATE', 'UPDATE' and 'DELETE' life cycle events.
+ *
+ */
+export declare class AwsCustomResource extends Construct implements iam.IGrantable {
+    /**
+     * Uniquely identifies this class.
+     */
+    static readonly PROPERTY_INJECTION_ID: string;
+    /**
+     * The uuid of the custom resource provider singleton lambda function.
+     */
+    static readonly PROVIDER_FUNCTION_UUID = "679f53fa-c002-430c-b0da-5b7982bd2287";
+    private static breakIgnoreErrorsCircuit;
+    readonly grantPrincipal: iam.IPrincipal;
+    private readonly customResource;
+    private readonly props;
+    constructor(scope: Construct, id: string, props: AwsCustomResourceProps);
+    /**
+     * Returns response data for the AWS SDK call.
+     *
+     * Example for S3 / listBucket : 'Buckets.0.Name'
+     *
+     * Use `Token.asXxx` to encode the returned `Reference` as a specific type or
+     * use the convenience `getDataString` for string attributes.
+     *
+     * Note that you cannot use this method if `ignoreErrorCodesMatching`
+     * is configured for any of the SDK calls. This is because in such a case,
+     * the response data might not exist, and will cause a CloudFormation deploy time error.
+     *
+     * @param dataPath the path to the data
+     */
+    getResponseFieldReference(dataPath: string): cdk.Reference;
+    /**
+     * Returns response data for the AWS SDK call as string.
+     *
+     * Example for S3 / listBucket : 'Buckets.0.Name'
+     *
+     * Note that you cannot use this method if `ignoreErrorCodesMatching`
+     * is configured for any of the SDK calls. This is because in such a case,
+     * the response data might not exist, and will cause a CloudFormation deploy time error.
+     *
+     * @param dataPath the path to the data
+     */
+    getResponseField(dataPath: string): string;
+    private formatSdkCall;
+    private encodeJson;
+}

cdk/node_modules/aws-cdk-lib/custom-resources/lib/aws-custom-resource/index.d.ts

@@ -0,0 +1,2 @@
+export * from './aws-custom-resource';
+export * from './logging';

cdk/node_modules/aws-cdk-lib/custom-resources/lib/aws-custom-resource/index.js

@@ -0,0 +1 @@
+"use strict";var __createBinding=exports&&exports.__createBinding||(Object.create?(function(o,m,k,k2){k2===void 0&&(k2=k);var desc=Object.getOwnPropertyDescriptor(m,k);(!desc||("get"in desc?!m.__esModule:desc.writable||desc.configurable))&&(desc={enumerable:!0,get:function(){return m[k]}}),Object.defineProperty(o,k2,desc)}):(function(o,m,k,k2){k2===void 0&&(k2=k),o[k2]=m[k]})),__exportStar=exports&&exports.__exportStar||function(m,exports2){for(var p in m)p!=="default"&&!Object.prototype.hasOwnProperty.call(exports2,p)&&__createBinding(exports2,m,p)};Object.defineProperty(exports,"__esModule",{value:!0});var _noFold;exports.PhysicalResourceIdReference=void 0,Object.defineProperty(exports,_noFold="PhysicalResourceIdReference",{enumerable:!0,configurable:!0,get:()=>{var value=require("./aws-custom-resource").PhysicalResourceIdReference;return Object.defineProperty(exports,_noFold="PhysicalResourceIdReference",{enumerable:!0,configurable:!0,value}),value}}),exports.PhysicalResourceId=void 0,Object.defineProperty(exports,_noFold="PhysicalResourceId",{enumerable:!0,configurable:!0,get:()=>{var value=require("./aws-custom-resource").PhysicalResourceId;return Object.defineProperty(exports,_noFold="PhysicalResourceId",{enumerable:!0,configurable:!0,value}),value}}),exports.AwsCustomResourcePolicy=void 0,Object.defineProperty(exports,_noFold="AwsCustomResourcePolicy",{enumerable:!0,configurable:!0,get:()=>{var value=require("./aws-custom-resource").AwsCustomResourcePolicy;return Object.defineProperty(exports,_noFold="AwsCustomResourcePolicy",{enumerable:!0,configurable:!0,value}),value}}),exports.AwsCustomResource=void 0,Object.defineProperty(exports,_noFold="AwsCustomResource",{enumerable:!0,configurable:!0,get:()=>{var value=require("./aws-custom-resource").AwsCustomResource;return Object.defineProperty(exports,_noFold="AwsCustomResource",{enumerable:!0,configurable:!0,value}),value}}),exports.Logging=void 0,Object.defineProperty(exports,_noFold="Logging",{enumerable:!0,configurable:!0,get:()=>{var value=require("./logging").Logging;return Object.defineProperty(exports,_noFold="Logging",{enumerable:!0,configurable:!0,value}),value}});

cdk/node_modules/aws-cdk-lib/custom-resources/lib/aws-custom-resource/logging.d.ts

@@ -0,0 +1,42 @@
+import type { Construct } from 'constructs';
+/**
+ * Properties used to initialize Logging.
+ */
+export interface LoggingProps {
+    /**
+     * Whether or not to log data associated with the API call response.
+     *
+     * @default true
+     */
+    readonly logApiResponseData?: boolean;
+}
+/**
+ * A class used to configure Logging during AwsCustomResource SDK calls.
+ */
+export declare abstract class Logging {
+    /**
+     * Enables logging of all logged data in the lambda handler.
+     *
+     * This includes the event object, the API call response, all fields in the response object
+     * returned by the lambda, and any errors encountered.
+     */
+    static all(): Logging;
+    /**
+     * Hides logging of data associated with the API call response. This includes hiding the raw API
+     * call response and the `Data` field associated with the lambda handler response.
+     */
+    static withDataHidden(): Logging;
+    /**
+     * Whether or not to log data associated with the API call response.
+     */
+    private logApiResponseData?;
+    protected constructor(props?: LoggingProps);
+    /**
+     * @internal
+     */
+    _render(scope: Construct): {
+        logApiResponseData: boolean;
+    } | {
+        logApiResponseData?: undefined;
+    };
+}

cdk/node_modules/aws-cdk-lib/custom-resources/lib/aws-custom-resource/logging.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.Logging=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var core_1=()=>{var tmp=require("../../../core");return core_1=()=>tmp,tmp},cx_api_1=()=>{var tmp=require("../../../cx-api");return cx_api_1=()=>tmp,tmp};class Logging{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.custom_resources.Logging",version:"2.252.0"};static all(){return new class extends Logging{constructor(){super()}}}static withDataHidden(){return new class extends Logging{constructor(){super({logApiResponseData:!1})}}}logApiResponseData;constructor(props={}){try{jsiiDeprecationWarnings().aws_cdk_lib_custom_resources_LoggingProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,Logging),error}this.logApiResponseData=props.logApiResponseData}_render(scope){return core_1().FeatureFlags.of(scope).isEnabled(cx_api_1().LOG_API_RESPONSE_DATA_PROPERTY_TRUE_DEFAULT)&&this.logApiResponseData===void 0&&(this.logApiResponseData=!0),this.logApiResponseData!==void 0?{logApiResponseData:this.logApiResponseData}:{}}}exports.Logging=Logging;

cdk/node_modules/aws-cdk-lib/custom-resources/lib/custom-resource-config/custom-resource-config.d.ts

@@ -0,0 +1,71 @@
+import type { IConstruct } from 'constructs';
+import type * as lambda from '../../../aws-lambda';
+import * as logs from '../../../aws-logs';
+import type { IAspect, RemovalPolicy } from '../../../core/lib';
+export declare const CUSTOM_RESOURCE_PROVIDER = "aws:cdk:is-custom-resource-handler-customResourceProvider";
+export declare const CUSTOM_RESOURCE_SINGLETON = "aws:cdk:is-custom-resource-handler-singleton";
+export declare const CUSTOM_RESOURCE_SINGLETON_LOG_GROUP = "aws:cdk:is-custom-resource-handler-logGroup";
+export declare const CUSTOM_RESOURCE_SINGLETON_LOG_RETENTION = "aws:cdk:is-custom-resource-handler-logRetention";
+export declare const CUSTOM_RESOURCE_RUNTIME_FAMILY = "aws:cdk:is-custom-resource-handler-runtime-family";
+/**
+ * Manages AWS-vended Custom Resources
+ *
+ * This feature is currently experimental.
+ */
+export declare class CustomResourceConfig {
+    private readonly scope;
+    /**
+     * Returns the CustomResourceConfig for this scope.
+     */
+    static of(scope: IConstruct): CustomResourceConfig;
+    private constructor();
+    /**
+     * Set the log retention of AWS-vended custom resource lambdas.
+     *
+     * This feature is currently experimental.
+     */
+    addLogRetentionLifetime(retention: logs.RetentionDays): void;
+    /**
+     * Set the removal policy of AWS-vended custom resource logGroup.
+     *
+     * This feature is currently experimental.
+     */
+    addRemovalPolicy(removalPolicy: RemovalPolicy): void;
+    /**
+     * Set the runtime version on AWS-vended custom resources lambdas.
+     *
+     * This feature is currently experimental.
+     */
+    addLambdaRuntime(lambdaRuntime: lambda.Runtime): void;
+}
+/**
+ * Manages log retention for AWS-vended custom resources.
+ *
+ * This feature is currently experimental.
+ */
+export declare class CustomResourceLogRetention implements IAspect {
+    private readonly logRetention;
+    constructor(setLogRetention: logs.RetentionDays);
+    visit(node: IConstruct): void;
+    private createLogGroup;
+}
+/**
+ * Manages removal policy for AWS-vended custom resources.
+ *
+ * This feature is currently experimental.
+ */
+export declare class CustomResourceRemovalPolicy implements IAspect {
+    private readonly removalPolicy;
+    constructor(removalPolicy: RemovalPolicy);
+    visit(node: IConstruct): void;
+}
+/**
+ * Manages lambda runtime for AWS-vended custom resources.
+ *
+ * This feature is currently experimental.
+ */
+export declare class CustomResourceLambdaRuntime implements IAspect {
+    private readonly lambdaRuntime;
+    constructor(lambdaRuntime: lambda.Runtime);
+    visit(node: IConstruct): void;
+}

cdk/node_modules/aws-cdk-lib/custom-resources/lib/custom-resource-config/index.d.ts

@@ -0,0 +1 @@
+export * from './custom-resource-config';

cdk/node_modules/aws-cdk-lib/custom-resources/lib/custom-resource-config/index.js

@@ -0,0 +1 @@
+"use strict";var __createBinding=exports&&exports.__createBinding||(Object.create?(function(o,m,k,k2){k2===void 0&&(k2=k);var desc=Object.getOwnPropertyDescriptor(m,k);(!desc||("get"in desc?!m.__esModule:desc.writable||desc.configurable))&&(desc={enumerable:!0,get:function(){return m[k]}}),Object.defineProperty(o,k2,desc)}):(function(o,m,k,k2){k2===void 0&&(k2=k),o[k2]=m[k]})),__exportStar=exports&&exports.__exportStar||function(m,exports2){for(var p in m)p!=="default"&&!Object.prototype.hasOwnProperty.call(exports2,p)&&__createBinding(exports2,m,p)};Object.defineProperty(exports,"__esModule",{value:!0});var _noFold;exports.CUSTOM_RESOURCE_PROVIDER=void 0,Object.defineProperty(exports,_noFold="CUSTOM_RESOURCE_PROVIDER",{enumerable:!0,configurable:!0,get:()=>{var value=require("./custom-resource-config").CUSTOM_RESOURCE_PROVIDER;return Object.defineProperty(exports,_noFold="CUSTOM_RESOURCE_PROVIDER",{enumerable:!0,configurable:!0,value}),value}}),exports.CUSTOM_RESOURCE_SINGLETON=void 0,Object.defineProperty(exports,_noFold="CUSTOM_RESOURCE_SINGLETON",{enumerable:!0,configurable:!0,get:()=>{var value=require("./custom-resource-config").CUSTOM_RESOURCE_SINGLETON;return Object.defineProperty(exports,_noFold="CUSTOM_RESOURCE_SINGLETON",{enumerable:!0,configurable:!0,value}),value}}),exports.CUSTOM_RESOURCE_SINGLETON_LOG_GROUP=void 0,Object.defineProperty(exports,_noFold="CUSTOM_RESOURCE_SINGLETON_LOG_GROUP",{enumerable:!0,configurable:!0,get:()=>{var value=require("./custom-resource-config").CUSTOM_RESOURCE_SINGLETON_LOG_GROUP;return Object.defineProperty(exports,_noFold="CUSTOM_RESOURCE_SINGLETON_LOG_GROUP",{enumerable:!0,configurable:!0,value}),value}}),exports.CUSTOM_RESOURCE_SINGLETON_LOG_RETENTION=void 0,Object.defineProperty(exports,_noFold="CUSTOM_RESOURCE_SINGLETON_LOG_RETENTION",{enumerable:!0,configurable:!0,get:()=>{var value=require("./custom-resource-config").CUSTOM_RESOURCE_SINGLETON_LOG_RETENTION;return Object.defineProperty(exports,_noFold="CUSTOM_RESOURCE_SINGLETON_LOG_RETENTION",{enumerable:!0,configurable:!0,value}),value}}),exports.CUSTOM_RESOURCE_RUNTIME_FAMILY=void 0,Object.defineProperty(exports,_noFold="CUSTOM_RESOURCE_RUNTIME_FAMILY",{enumerable:!0,configurable:!0,get:()=>{var value=require("./custom-resource-config").CUSTOM_RESOURCE_RUNTIME_FAMILY;return Object.defineProperty(exports,_noFold="CUSTOM_RESOURCE_RUNTIME_FAMILY",{enumerable:!0,configurable:!0,value}),value}}),exports.CustomResourceConfig=void 0,Object.defineProperty(exports,_noFold="CustomResourceConfig",{enumerable:!0,configurable:!0,get:()=>{var value=require("./custom-resource-config").CustomResourceConfig;return Object.defineProperty(exports,_noFold="CustomResourceConfig",{enumerable:!0,configurable:!0,value}),value}}),exports.CustomResourceLogRetention=void 0,Object.defineProperty(exports,_noFold="CustomResourceLogRetention",{enumerable:!0,configurable:!0,get:()=>{var value=require("./custom-resource-config").CustomResourceLogRetention;return Object.defineProperty(exports,_noFold="CustomResourceLogRetention",{enumerable:!0,configurable:!0,value}),value}}),exports.CustomResourceRemovalPolicy=void 0,Object.defineProperty(exports,_noFold="CustomResourceRemovalPolicy",{enumerable:!0,configurable:!0,get:()=>{var value=require("./custom-resource-config").CustomResourceRemovalPolicy;return Object.defineProperty(exports,_noFold="CustomResourceRemovalPolicy",{enumerable:!0,configurable:!0,value}),value}}),exports.CustomResourceLambdaRuntime=void 0,Object.defineProperty(exports,_noFold="CustomResourceLambdaRuntime",{enumerable:!0,configurable:!0,get:()=>{var value=require("./custom-resource-config").CustomResourceLambdaRuntime;return Object.defineProperty(exports,_noFold="CustomResourceLambdaRuntime",{enumerable:!0,configurable:!0,value}),value}});

cdk/node_modules/aws-cdk-lib/custom-resources/lib/helpers-internal/index.d.ts

@@ -0,0 +1 @@
+export * from './sdk-info';

cdk/node_modules/aws-cdk-lib/custom-resources/lib/helpers-internal/index.js

@@ -0,0 +1 @@
+"use strict";var __createBinding=exports&&exports.__createBinding||(Object.create?(function(o,m,k,k2){k2===void 0&&(k2=k);var desc=Object.getOwnPropertyDescriptor(m,k);(!desc||("get"in desc?!m.__esModule:desc.writable||desc.configurable))&&(desc={enumerable:!0,get:function(){return m[k]}}),Object.defineProperty(o,k2,desc)}):(function(o,m,k,k2){k2===void 0&&(k2=k),o[k2]=m[k]})),__exportStar=exports&&exports.__exportStar||function(m,exports2){for(var p in m)p!=="default"&&!Object.prototype.hasOwnProperty.call(exports2,p)&&__createBinding(exports2,m,p)};Object.defineProperty(exports,"__esModule",{value:!0});var _noFold;exports.awsSdkToIamAction=void 0,Object.defineProperty(exports,_noFold="awsSdkToIamAction",{enumerable:!0,configurable:!0,get:()=>{var value=require("./sdk-info").awsSdkToIamAction;return Object.defineProperty(exports,_noFold="awsSdkToIamAction",{enumerable:!0,configurable:!0,value}),value}});

cdk/node_modules/aws-cdk-lib/custom-resources/lib/helpers-internal/sdk-info.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Transform SDK service/action to IAM action using metadata obtained from AWS SDK metadata.
+ * Example: CloudWatchLogs with putRetentionPolicy => logs:PutRetentionPolicy
+ */
+export declare function awsSdkToIamAction(service: string, action: string): string;

cdk/node_modules/aws-cdk-lib/custom-resources/lib/helpers-internal/sdk-info.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.awsSdkToIamAction=awsSdkToIamAction;var path=()=>{var tmp=require("path");return path=()=>tmp,tmp};function awsSdkToIamAction(service,action){const v3Name=normalizeServiceName(service),iamPrefix=v3Metadata()[v3Name]?.iamPrefix??v3Name,iamAction=normalizeActionName(v3Name,action);return`${iamPrefix}:${iamAction}`}function normalizeServiceName(service){return service=service.toLowerCase(),service=service.replace(/^@aws-sdk\/client-/,""),service=v2ToV3Mapping()?.[service]??service,service}function normalizeActionName(v3Service,action){return action.charAt(0).toLowerCase()===action.charAt(0)?action.charAt(0).toUpperCase()+action.slice(1):v3Metadata()[v3Service]?.commands?.includes(action)?action:action.replace(/Command$/,"")}function v2ToV3Mapping(){return require(path().join(__dirname,"sdk-v2-to-v3.json"))}function v3Metadata(){return require(path().join(__dirname,"sdk-v3-metadata.json"))}

cdk/node_modules/aws-cdk-lib/custom-resources/lib/helpers-internal/sdk-v2-to-v3.json

@@ -0,0 +1,155 @@
+{
+  "acmpca": "acm-pca",
+  "apigateway": "api-gateway",
+  "arczonalshift": "arc-zonal-shift",
+  "appmesh": "app-mesh",
+  "applicationautoscaling": "application-auto-scaling",
+  "applicationinsights": "application-insights",
+  "applicationsignals": "application-signals",
+  "augmentedairuntime": "sagemaker-a2i-runtime",
+  "autoscaling": "auto-scaling",
+  "autoscalingplans": "auto-scaling-plans",
+  "bcmdataexports": "bcm-data-exports",
+  "backupgateway": "backup-gateway",
+  "bedrockagent": "bedrock-agent",
+  "bedrockagentruntime": "bedrock-agent-runtime",
+  "bedrockruntime": "bedrock-runtime",
+  "cur": "cost-and-usage-report-service",
+  "chimesdkidentity": "chime-sdk-identity",
+  "chimesdkmediapipelines": "chime-sdk-media-pipelines",
+  "chimesdkmeetings": "chime-sdk-meetings",
+  "chimesdkmessaging": "chime-sdk-messaging",
+  "chimesdkvoice": "chime-sdk-voice",
+  "cloudhsmv2": "cloudhsm-v2",
+  "cloudsearchdomain": "cloudsearch-domain",
+  "cloudtraildata": "cloudtrail-data",
+  "cloudwatchevents": "cloudwatch-events",
+  "cloudwatchlogs": "cloudwatch-logs",
+  "codegurureviewer": "codeguru-reviewer",
+  "codegurusecurity": "codeguru-security",
+  "codestarnotifications": "codestar-notifications",
+  "codestarconnections": "codestar-connections",
+  "cognitoidentity": "cognito-identity",
+  "cognitoidentityserviceprovider": "cognito-identity-provider",
+  "cognitosync": "cognito-sync",
+  "computeoptimizer": "compute-optimizer",
+  "configservice": "config-service",
+  "connectcontactlens": "connect-contact-lens",
+  "costexplorer": "cost-explorer",
+  "costoptimizationhub": "cost-optimization-hub",
+  "customerprofiles": "customer-profiles",
+  "dms": "database-migration-service",
+  "datapipeline": "data-pipeline",
+  "devopsguru": "devops-guru",
+  "devicefarm": "device-farm",
+  "directconnect": "direct-connect",
+  "directoryservice": "directory-service",
+  "discovery": "application-discovery-service",
+  "docdbelastic": "docdb-elastic",
+  "dynamodbstreams": "dynamodb-streams",
+  "ec2instanceconnect": "ec2-instance-connect",
+  "ecrpublic": "ecr-public",
+  "eksauth": "eks-auth",
+  "elb": "elastic-load-balancing",
+  "elbv2": "elastic-load-balancing-v2",
+  "emrserverless": "emr-serverless",
+  "emrcontainers": "emr-containers",
+  "es": "elasticsearch-service",
+  "elasticbeanstalk": "elastic-beanstalk",
+  "elasticinference": "elastic-inference",
+  "elastictranscoder": "elastic-transcoder",
+  "finspacedata": "finspace-data",
+  "forecastqueryservice": "forecastquery",
+  "forecastservice": "forecast",
+  "globalaccelerator": "global-accelerator",
+  "ivsrealtime": "ivs-realtime",
+  "inspectorscan": "inspector-scan",
+  "iot1clickdevicesservice": "iot-1click-devices-service",
+  "iot1clickprojects": "iot-1click-projects",
+  "iotevents": "iot-events",
+  "ioteventsdata": "iot-events-data",
+  "iotjobsdataplane": "iot-jobs-data-plane",
+  "iotwireless": "iot-wireless",
+  "iotdata": "iot-data-plane",
+  "kendraranking": "kendra-ranking",
+  "kinesisanalytics": "kinesis-analytics",
+  "kinesisanalyticsv2": "kinesis-analytics-v2",
+  "kinesisvideo": "kinesis-video",
+  "kinesisvideoarchivedmedia": "kinesis-video-archived-media",
+  "kinesisvideomedia": "kinesis-video-media",
+  "kinesisvideosignalingchannels": "kinesis-video-signaling",
+  "kinesisvideowebrtcstorage": "kinesis-video-webrtc-storage",
+  "launchwizard": "launch-wizard",
+  "lexmodelbuildingservice": "lex-model-building-service",
+  "lexmodelsv2": "lex-models-v2",
+  "lexruntime": "lex-runtime-service",
+  "lexruntimev2": "lex-runtime-v2",
+  "licensemanager": "license-manager",
+  "licensemanagerlinuxsubscriptions": "license-manager-linux-subscriptions",
+  "licensemanagerusersubscriptions": "license-manager-user-subscriptions",
+  "machinelearning": "machine-learning",
+  "managedblockchainquery": "managedblockchain-query",
+  "marketplaceagreement": "marketplace-agreement",
+  "marketplacecatalog": "marketplace-catalog",
+  "marketplacecommerceanalytics": "marketplace-commerce-analytics",
+  "marketplacedeployment": "marketplace-deployment",
+  "marketplaceentitlementservice": "marketplace-entitlement-service",
+  "marketplacemetering": "marketplace-metering",
+  "mediapackagevod": "mediapackage-vod",
+  "mediastoredata": "mediastore-data",
+  "medicalimaging": "medical-imaging",
+  "migrationhub": "migration-hub",
+  "migrationhubconfig": "migrationhub-config",
+  "migrationhubrefactorspaces": "migration-hub-refactor-spaces",
+  "networkfirewall": "network-firewall",
+  "paymentcryptography": "payment-cryptography",
+  "paymentcryptographydata": "payment-cryptography-data",
+  "pcaconnectorad": "pca-connector-ad",
+  "pcaconnectorscep": "pca-connector-scep",
+  "personalizeevents": "personalize-events",
+  "personalizeruntime": "personalize-runtime",
+  "pinpointemail": "pinpoint-email",
+  "pinpointsmsvoice": "pinpoint-sms-voice",
+  "pinpointsmsvoicev2": "pinpoint-sms-voice-v2",
+  "qldbsession": "qldb-session",
+  "rdsdataservice": "rds-data",
+  "redshiftdata": "redshift-data",
+  "redshiftserverless": "redshift-serverless",
+  "resourceexplorer2": "resource-explorer-2",
+  "resourcegroups": "resource-groups",
+  "resourcegroupstaggingapi": "resource-groups-tagging-api",
+  "route53": "route-53",
+  "route53domains": "route-53-domains",
+  "route53recoverycluster": "route53-recovery-cluster",
+  "route53recoverycontrolconfig": "route53-recovery-control-config",
+  "route53recoveryreadiness": "route53-recovery-readiness",
+  "s3control": "s3-control",
+  "ssmcontacts": "ssm-contacts",
+  "ssmincidents": "ssm-incidents",
+  "ssmquicksetup": "ssm-quicksetup",
+  "ssoadmin": "sso-admin",
+  "ssooidc": "sso-oidc",
+  "sagemakerfeaturestoreruntime": "sagemaker-featurestore-runtime",
+  "sagemakergeospatial": "sagemaker-geospatial",
+  "sagemakermetrics": "sagemaker-metrics",
+  "sagemakerruntime": "sagemaker-runtime",
+  "sagemakeredge": "sagemaker-edge",
+  "secretsmanager": "secrets-manager",
+  "servicecatalog": "service-catalog",
+  "servicecatalogappregistry": "service-catalog-appregistry",
+  "servicequotas": "service-quotas",
+  "snowdevicemanagement": "snow-device-management",
+  "ssmsap": "ssm-sap",
+  "stepfunctions": "sfn",
+  "storagegateway": "storage-gateway",
+  "supportapp": "support-app",
+  "timestreaminfluxdb": "timestream-influxdb",
+  "timestreamquery": "timestream-query",
+  "timestreamwrite": "timestream-write",
+  "transcribeservice": "transcribe",
+  "vpclattice": "vpc-lattice",
+  "voiceid": "voice-id",
+  "wafregional": "waf-regional",
+  "workspacesthinclient": "workspaces-thin-client",
+  "workspacesweb": "workspaces-web"
+}

cdk/node_modules/aws-cdk-lib/custom-resources/lib/index.d.ts

@@ -0,0 +1,3 @@
+export * from './aws-custom-resource';
+export * from './provider-framework';
+export * from './custom-resource-config';

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/index.d.ts

@@ -0,0 +1,2 @@
+export * from './provider';
+export * from './waiter-state-machine';

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/index.js

@@ -0,0 +1 @@
+"use strict";var __createBinding=exports&&exports.__createBinding||(Object.create?(function(o,m,k,k2){k2===void 0&&(k2=k);var desc=Object.getOwnPropertyDescriptor(m,k);(!desc||("get"in desc?!m.__esModule:desc.writable||desc.configurable))&&(desc={enumerable:!0,get:function(){return m[k]}}),Object.defineProperty(o,k2,desc)}):(function(o,m,k,k2){k2===void 0&&(k2=k),o[k2]=m[k]})),__exportStar=exports&&exports.__exportStar||function(m,exports2){for(var p in m)p!=="default"&&!Object.prototype.hasOwnProperty.call(exports2,p)&&__createBinding(exports2,m,p)};Object.defineProperty(exports,"__esModule",{value:!0});var _noFold;exports.Provider=void 0,Object.defineProperty(exports,_noFold="Provider",{enumerable:!0,configurable:!0,get:()=>{var value=require("./provider").Provider;return Object.defineProperty(exports,_noFold="Provider",{enumerable:!0,configurable:!0,value}),value}}),exports.WaiterStateMachine=void 0,Object.defineProperty(exports,_noFold="WaiterStateMachine",{enumerable:!0,configurable:!0,get:()=>{var value=require("./waiter-state-machine").WaiterStateMachine;return Object.defineProperty(exports,_noFold="WaiterStateMachine",{enumerable:!0,configurable:!0,value}),value}});

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/provider.d.ts

@@ -0,0 +1,199 @@
+import { Construct } from 'constructs';
+import type { LogOptions } from './waiter-state-machine';
+import '../../../aws-cloudformation';
+import type * as ec2 from '../../../aws-ec2';
+import * as iam from '../../../aws-iam';
+import type * as kms from '../../../aws-kms';
+import * as lambda from '../../../aws-lambda';
+import type * as logs from '../../../aws-logs';
+import { Duration } from '../../../core';
+/**
+ * Initialization properties for the `Provider` construct.
+ */
+export interface ProviderProps {
+    /**
+     * The AWS Lambda function to invoke for all resource lifecycle operations
+     * (CREATE/UPDATE/DELETE).
+     *
+     * This function is responsible to begin the requested resource operation
+     * (CREATE/UPDATE/DELETE) and return any additional properties to add to the
+     * event, which will later be passed to `isComplete`. The `PhysicalResourceId`
+     * property must be included in the response.
+     */
+    readonly onEventHandler: lambda.IFunction;
+    /**
+     * The AWS Lambda function to invoke in order to determine if the operation is
+     * complete.
+     *
+     * This function will be called immediately after `onEvent` and then
+     * periodically based on the configured query interval as long as it returns
+     * `false`. If the function still returns `false` and the alloted timeout has
+     * passed, the operation will fail.
+     *
+     * @default - provider is synchronous. This means that the `onEvent` handler
+     * is expected to finish all lifecycle operations within the initial invocation.
+     */
+    readonly isCompleteHandler?: lambda.IFunction;
+    /**
+     * Time between calls to the `isComplete` handler which determines if the
+     * resource has been stabilized.
+     *
+     * The first `isComplete` will be called immediately after `handler` and then
+     * every `queryInterval` seconds, and until `timeout` has been reached or until
+     * `isComplete` returns `true`.
+     *
+     * @default Duration.seconds(5)
+     */
+    readonly queryInterval?: Duration;
+    /**
+     * Total timeout for the entire operation.
+     *
+     * The maximum timeout is 1 hour (yes, it can exceed the AWS Lambda 15 minutes)
+     *
+     * @default Duration.minutes(30)
+     */
+    readonly totalTimeout?: Duration;
+    /**
+     * The number of days framework log events are kept in CloudWatch Logs. When
+     * updating this property, unsetting it doesn't remove the log retention policy.
+     * To remove the retention policy, set the value to `INFINITE`.
+     *
+     * This is a legacy API and we strongly recommend you migrate to `logGroup` if you can.
+     * `logGroup` allows you to create a fully customizable log group and instruct the Lambda function to send logs to it.
+     *
+     * @default logs.RetentionDays.INFINITE
+     */
+    readonly logRetention?: logs.RetentionDays;
+    /**
+     * The Log Group used for logging of events emitted by the custom resource's lambda function.
+     *
+     * Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16.
+     * If you are deploying to another type of region, please check regional availability first.
+     *
+     * @default - a default log group created by AWS Lambda
+     */
+    readonly logGroup?: logs.ILogGroupRef;
+    /**
+     * The vpc to provision the lambda functions in.
+     *
+     * @default - functions are not provisioned inside a vpc.
+     */
+    readonly vpc?: ec2.IVpc;
+    /**
+     * Which subnets from the VPC to place the lambda functions in.
+     *
+     * Only used if 'vpc' is supplied. Note: internet access for Lambdas
+     * requires a NAT gateway, so picking Public subnets is not allowed.
+     *
+     * @default - the Vpc default strategy if not specified
+     */
+    readonly vpcSubnets?: ec2.SubnetSelection;
+    /**
+     * Security groups to attach to the provider functions.
+     *
+     * Only used if 'vpc' is supplied
+     *
+     * @default - If `vpc` is not supplied, no security groups are attached. Otherwise, a dedicated security
+     * group is created for each function.
+     */
+    readonly securityGroups?: ec2.ISecurityGroup[];
+    /**
+     * AWS Lambda execution role.
+     *
+     * The role is shared by provider framework's onEvent, isComplete lambda, and onTimeout Lambda functions.
+     * This role will be assumed by the AWS Lambda, so it must be assumable by the 'lambda.amazonaws.com'
+     * service principal.
+     *
+     * @default - A default role will be created.
+     * @deprecated - Use frameworkOnEventRole, frameworkCompleteAndTimeoutRole
+     */
+    readonly role?: iam.IRole;
+    /**
+     * Lambda execution role for provider framework's onEvent Lambda function. Note that this role must be assumed
+     * by the 'lambda.amazonaws.com' service principal.
+     *
+     * This property cannot be used with 'role' property
+     *
+     * @default - A default role will be created.
+     */
+    readonly frameworkOnEventRole?: iam.IRole;
+    /**
+     * Lambda execution role for provider framework's isComplete/onTimeout Lambda function. Note that this role
+     * must be assumed by the 'lambda.amazonaws.com' service principal. To prevent circular dependency problem
+     * in the provider framework, please ensure you specify a different IAM Role for 'frameworkCompleteAndTimeoutRole'
+     * from 'frameworkOnEventRole'.
+     *
+     * This property cannot be used with 'role' property
+     *
+     * @default - A default role will be created.
+     */
+    readonly frameworkCompleteAndTimeoutRole?: iam.IRole;
+    /**
+     * Provider Lambda name.
+     *
+     * The provider lambda function name.
+     *
+     * @default -  CloudFormation default name from unique physical ID
+     */
+    readonly providerFunctionName?: string;
+    /**
+     * AWS KMS key used to encrypt provider lambda's environment variables.
+     *
+     * @default -  AWS Lambda creates and uses an AWS managed customer master key (CMK)
+     */
+    readonly providerFunctionEnvEncryption?: kms.IKeyRef;
+    /**
+     * Defines what execution history events of the waiter state machine are logged and where they are logged.
+     *
+     * @default - A default log group will be created if logging for the waiter state machine is enabled.
+     */
+    readonly waiterStateMachineLogOptions?: LogOptions;
+    /**
+     * Whether logging for the waiter state machine is disabled.
+     *
+     * @default - true
+     */
+    readonly disableWaiterStateMachineLogging?: boolean;
+    /**
+     * Log level of the provider framework lambda
+     *
+     * @default true - Logging is disabled by default
+     */
+    readonly frameworkLambdaLoggingLevel?: lambda.ApplicationLogLevel;
+}
+/**
+ * Defines an AWS CloudFormation custom resource provider.
+ */
+export declare class Provider extends Construct {
+    /**
+     * Uniquely identifies this class.
+     */
+    static readonly PROPERTY_INJECTION_ID: string;
+    /**
+     * The user-defined AWS Lambda function which is invoked for all resource
+     * lifecycle operations (CREATE/UPDATE/DELETE).
+     */
+    readonly onEventHandler: lambda.IFunction;
+    /**
+     * The user-defined AWS Lambda function which is invoked asynchronously in
+     * order to determine if the operation is complete.
+     */
+    readonly isCompleteHandler?: lambda.IFunction;
+    /**
+     * The service token to use in order to define custom resources that are
+     * backed by this provider.
+     */
+    readonly serviceToken: string;
+    private readonly entrypoint;
+    private readonly logRetention?;
+    private readonly logGroup?;
+    private readonly vpc?;
+    private readonly vpcSubnets?;
+    private readonly securityGroups?;
+    private readonly role?;
+    private readonly providerFunctionEnvEncryption?;
+    private readonly frameworkLambdaLoggingLevel?;
+    constructor(scope: Construct, id: string, props: ProviderProps);
+    private addPermissions;
+    private createFunction;
+}

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/cfn-response.d.ts

@@ -0,0 +1,21 @@
+import type { OnEventResponse } from '../types';
+export declare const CREATE_FAILED_PHYSICAL_ID_MARKER = "AWSCDK::CustomResourceProviderFramework::CREATE_FAILED";
+export declare const MISSING_PHYSICAL_ID_MARKER = "AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";
+export interface CloudFormationResponseOptions {
+    readonly reason?: string;
+    readonly noEcho?: boolean;
+}
+export interface CloudFormationEventContext {
+    StackId: string;
+    RequestId: string;
+    PhysicalResourceId?: string;
+    LogicalResourceId: string;
+    ResponseURL: string;
+    Data?: any;
+}
+export declare function submitResponse(status: 'SUCCESS' | 'FAILED', event: CloudFormationEventContext, options?: CloudFormationResponseOptions): Promise<void>;
+export declare let includeStackTraces: boolean;
+export declare function safeHandler(block: (event: any) => Promise<void>): (event: any) => Promise<void>;
+export declare function redactDataFromPayload(payload: OnEventResponse): OnEventResponse;
+export declare class Retry extends Error {
+}

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/cfn-response.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.Retry=exports.includeStackTraces=exports.MISSING_PHYSICAL_ID_MARKER=exports.CREATE_FAILED_PHYSICAL_ID_MARKER=void 0,exports.submitResponse=submitResponse,exports.safeHandler=safeHandler,exports.redactDataFromPayload=redactDataFromPayload;const url=require("url"),outbound_1=require("./outbound"),util_1=require("./util");exports.CREATE_FAILED_PHYSICAL_ID_MARKER="AWSCDK::CustomResourceProviderFramework::CREATE_FAILED",exports.MISSING_PHYSICAL_ID_MARKER="AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";async function submitResponse(status,event,options={}){const json={Status:status,Reason:options.reason||status,StackId:event.StackId,RequestId:event.RequestId,PhysicalResourceId:event.PhysicalResourceId||exports.MISSING_PHYSICAL_ID_MARKER,LogicalResourceId:event.LogicalResourceId,NoEcho:options.noEcho,Data:event.Data},responseBody=JSON.stringify(json),parsedUrl=url.parse(event.ResponseURL),loggingSafeUrl=`${parsedUrl.protocol}//${parsedUrl.hostname}/${parsedUrl.pathname}?***`;options?.noEcho?(0,util_1.log)("submit redacted response to cloudformation",loggingSafeUrl,redactDataFromPayload(json)):(0,util_1.log)("submit response to cloudformation",loggingSafeUrl,json);const retryOptions={attempts:5,sleep:1e3};await(0,util_1.withRetries)(retryOptions,outbound_1.httpRequest)({hostname:parsedUrl.hostname,path:parsedUrl.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(responseBody,"utf8")}},responseBody)}exports.includeStackTraces=!0;function safeHandler(block){return async event=>{if(event.RequestType==="Delete"&&event.PhysicalResourceId===exports.CREATE_FAILED_PHYSICAL_ID_MARKER){(0,util_1.log)("ignoring DELETE event caused by a failed CREATE event"),await submitResponse("SUCCESS",event);return}try{await block(event)}catch(e){if(e instanceof Retry)throw(0,util_1.log)("retry requested by handler"),e;event.PhysicalResourceId||(event.RequestType==="Create"?((0,util_1.log)("CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored"),event.PhysicalResourceId=exports.CREATE_FAILED_PHYSICAL_ID_MARKER):(0,util_1.log)(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify({...event,ResponseURL:"..."})}`)),await submitResponse("FAILED",event,{reason:exports.includeStackTraces?e.stack:e.message})}}}function redactDataFromPayload(payload){const redactedPayload=JSON.parse(JSON.stringify(payload));if(redactedPayload.Data){const keys=Object.keys(redactedPayload.Data);for(const key of keys)redactedPayload.Data[key]="*****"}return redactedPayload}class Retry extends Error{}exports.Retry=Retry;

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/consts.d.ts

@@ -0,0 +1,6 @@
+export declare const USER_ON_EVENT_FUNCTION_ARN_ENV = "USER_ON_EVENT_FUNCTION_ARN";
+export declare const USER_IS_COMPLETE_FUNCTION_ARN_ENV = "USER_IS_COMPLETE_FUNCTION_ARN";
+export declare const WAITER_STATE_MACHINE_ARN_ENV = "WAITER_STATE_MACHINE_ARN";
+export declare const FRAMEWORK_ON_EVENT_HANDLER_NAME = "onEvent";
+export declare const FRAMEWORK_IS_COMPLETE_HANDLER_NAME = "isComplete";
+export declare const FRAMEWORK_ON_TIMEOUT_HANDLER_NAME = "onTimeout";

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/consts.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.FRAMEWORK_ON_TIMEOUT_HANDLER_NAME=exports.FRAMEWORK_IS_COMPLETE_HANDLER_NAME=exports.FRAMEWORK_ON_EVENT_HANDLER_NAME=exports.WAITER_STATE_MACHINE_ARN_ENV=exports.USER_IS_COMPLETE_FUNCTION_ARN_ENV=exports.USER_ON_EVENT_FUNCTION_ARN_ENV=void 0,exports.USER_ON_EVENT_FUNCTION_ARN_ENV="USER_ON_EVENT_FUNCTION_ARN",exports.USER_IS_COMPLETE_FUNCTION_ARN_ENV="USER_IS_COMPLETE_FUNCTION_ARN",exports.WAITER_STATE_MACHINE_ARN_ENV="WAITER_STATE_MACHINE_ARN",exports.FRAMEWORK_ON_EVENT_HANDLER_NAME="onEvent",exports.FRAMEWORK_IS_COMPLETE_HANDLER_NAME="isComplete",exports.FRAMEWORK_ON_TIMEOUT_HANDLER_NAME="onTimeout";

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/framework.d.ts

@@ -0,0 +1,7 @@
+declare const _default: {
+    onEvent: (event: any) => Promise<void>;
+    isComplete: (event: any) => Promise<void>;
+    onTimeout: typeof onTimeout;
+};
+export = _default;
+declare function onTimeout(timeoutEvent: any): Promise<void>;

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/framework.js

@@ -0,0 +1,3 @@
+"use strict";const cfnResponse=require("./cfn-response"),consts=require("./consts"),outbound_1=require("./outbound"),util_1=require("./util");async function onEvent(cfnRequest){const sanitizedRequest={...cfnRequest,ResponseURL:"..."};(0,util_1.log)("onEventHandler",sanitizedRequest),cfnRequest.ResourceProperties=cfnRequest.ResourceProperties||{};const onEventResult=await invokeUserFunction(consts.USER_ON_EVENT_FUNCTION_ARN_ENV,sanitizedRequest,cfnRequest.ResponseURL);onEventResult?.NoEcho?(0,util_1.log)("redacted onEvent returned:",cfnResponse.redactDataFromPayload(onEventResult)):(0,util_1.log)("onEvent returned:",onEventResult);const resourceEvent=createResponseEvent(cfnRequest,onEventResult),sanitizedEvent={...resourceEvent,ResponseURL:"..."};if(onEventResult?.NoEcho?(0,util_1.log)("readacted event:",cfnResponse.redactDataFromPayload(sanitizedEvent)):(0,util_1.log)("event:",sanitizedEvent),!process.env[consts.USER_IS_COMPLETE_FUNCTION_ARN_ENV])return cfnResponse.submitResponse("SUCCESS",resourceEvent,{noEcho:resourceEvent.NoEcho});const waiter={stateMachineArn:(0,util_1.getEnv)(consts.WAITER_STATE_MACHINE_ARN_ENV),input:JSON.stringify(resourceEvent)};(0,util_1.log)("starting waiter",{stateMachineArn:(0,util_1.getEnv)(consts.WAITER_STATE_MACHINE_ARN_ENV)}),await(0,outbound_1.startExecution)(waiter)}async function isComplete(event){const sanitizedRequest={...event,ResponseURL:"..."};event?.NoEcho?(0,util_1.log)("redacted isComplete request",cfnResponse.redactDataFromPayload(sanitizedRequest)):(0,util_1.log)("isComplete",sanitizedRequest);const isCompleteResult=await invokeUserFunction(consts.USER_IS_COMPLETE_FUNCTION_ARN_ENV,sanitizedRequest,event.ResponseURL);if(event?.NoEcho?(0,util_1.log)("redacted user isComplete returned:",cfnResponse.redactDataFromPayload(isCompleteResult)):(0,util_1.log)("user isComplete returned:",isCompleteResult),!isCompleteResult.IsComplete)throw isCompleteResult.Data&&Object.keys(isCompleteResult.Data).length>0?new Error('"Data" is not allowed if "IsComplete" is "False"'):new cfnResponse.Retry(JSON.stringify(event));const response={...event,...isCompleteResult,Data:{...event.Data,...isCompleteResult.Data}};await cfnResponse.submitResponse("SUCCESS",response,{noEcho:event.NoEcho})}async function onTimeout(timeoutEvent){(0,util_1.log)("timeoutHandler",timeoutEvent);const isCompleteRequest=JSON.parse(JSON.parse(timeoutEvent.Cause).errorMessage);await cfnResponse.submitResponse("FAILED",isCompleteRequest,{reason:"Operation timed out"})}async function invokeUserFunction(functionArnEnv,sanitizedPayload,responseUrl){const functionArn=(0,util_1.getEnv)(functionArnEnv);(0,util_1.log)(`executing user function ${functionArn} with payload`,sanitizedPayload);const resp=await(0,outbound_1.invokeFunction)({FunctionName:functionArn,Payload:JSON.stringify({...sanitizedPayload,ResponseURL:responseUrl})});(0,util_1.log)("user function response:",resp,typeof resp);const jsonPayload=(0,util_1.parseJsonPayload)(resp.Payload);if(resp.FunctionError){(0,util_1.log)("user function threw an error:",resp.FunctionError);const errorMessage=jsonPayload.errorMessage||"error",arn=functionArn.split(":"),functionName=arn[arn.length-1],message=[errorMessage,"",`Logs: /aws/lambda/${functionName}`,""].join(`
+`),e=new Error(message);throw jsonPayload.trace&&(e.stack=[message,...jsonPayload.trace.slice(1)].join(`
+`)),e}return jsonPayload}function createResponseEvent(cfnRequest,onEventResult){onEventResult=onEventResult||{};const physicalResourceId=onEventResult.PhysicalResourceId||defaultPhysicalResourceId(cfnRequest);if(cfnRequest.RequestType==="Delete"&&physicalResourceId!==cfnRequest.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from "${cfnRequest.PhysicalResourceId}" to "${onEventResult.PhysicalResourceId}" during deletion`);return cfnRequest.RequestType==="Update"&&physicalResourceId!==cfnRequest.PhysicalResourceId&&(0,util_1.log)(`UPDATE: changing physical resource ID from "${cfnRequest.PhysicalResourceId}" to "${onEventResult.PhysicalResourceId}"`),{...cfnRequest,...onEventResult,PhysicalResourceId:physicalResourceId}}function defaultPhysicalResourceId(req){switch(req.RequestType){case"Create":return req.RequestId;case"Update":case"Delete":return req.PhysicalResourceId;default:throw new Error(`Invalid "RequestType" in request "${JSON.stringify(req)}"`)}}module.exports={[consts.FRAMEWORK_ON_EVENT_HANDLER_NAME]:cfnResponse.safeHandler(onEvent),[consts.FRAMEWORK_IS_COMPLETE_HANDLER_NAME]:cfnResponse.safeHandler(isComplete),[consts.FRAMEWORK_ON_TIMEOUT_HANDLER_NAME]:onTimeout};

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.d.ts

@@ -0,0 +1,10 @@
+import * as https from 'https';
+import type { InvocationResponse, InvokeCommandInput } from '@aws-sdk/client-lambda';
+import type { StartExecutionInput, StartExecutionOutput } from '@aws-sdk/client-sfn';
+declare function defaultHttpRequest(options: https.RequestOptions, requestBody: string): Promise<void>;
+declare function defaultStartExecution(req: StartExecutionInput): Promise<StartExecutionOutput>;
+declare function defaultInvokeFunction(req: InvokeCommandInput): Promise<InvocationResponse>;
+export declare let startExecution: typeof defaultStartExecution;
+export declare let invokeFunction: typeof defaultInvokeFunction;
+export declare let httpRequest: typeof defaultHttpRequest;
+export {};

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.httpRequest=exports.invokeFunction=exports.startExecution=void 0;const https=require("https"),client_lambda_1=require("@aws-sdk/client-lambda"),client_sfn_1=require("@aws-sdk/client-sfn"),FRAMEWORK_HANDLER_TIMEOUT=9e5,awsSdkConfig={httpOptions:{timeout:FRAMEWORK_HANDLER_TIMEOUT}};async function defaultHttpRequest(options,requestBody){return new Promise((resolve,reject)=>{try{const request=https.request(options,response=>{response.resume(),!response.statusCode||response.statusCode>=400?reject(new Error(`Unsuccessful HTTP response: ${response.statusCode}`)):resolve()});request.on("error",reject),request.write(requestBody),request.end()}catch(e){reject(e)}})}let sfn,lambda;async function defaultStartExecution(req){return sfn||(sfn=new client_sfn_1.SFN(awsSdkConfig)),sfn.startExecution(req)}async function defaultInvokeFunction(req){lambda||(lambda=new client_lambda_1.Lambda(awsSdkConfig));try{return await lambda.invoke(req)}catch{return await(0,client_lambda_1.waitUntilFunctionActiveV2)({client:lambda,maxWaitTime:300},{FunctionName:req.FunctionName}),lambda.invoke(req)}}exports.startExecution=defaultStartExecution,exports.invokeFunction=defaultInvokeFunction,exports.httpRequest=defaultHttpRequest;

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/util.d.ts

@@ -0,0 +1,10 @@
+export declare function getEnv(name: string): string;
+export declare function log(title: any, ...args: any[]): void;
+export interface RetryOptions {
+    /** How many retries (will at least try once) */
+    readonly attempts: number;
+    /** Sleep base, in ms */
+    readonly sleep: number;
+}
+export declare function withRetries<A extends Array<any>, B>(options: RetryOptions, fn: (...xs: A) => Promise<B>): (...xs: A) => Promise<B>;
+export declare function parseJsonPayload(payload: string | Buffer | Uint8Array | undefined | null): any;

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/util.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.getEnv=getEnv,exports.log=log,exports.withRetries=withRetries,exports.parseJsonPayload=parseJsonPayload;function getEnv(name){const value=process.env[name];if(!value)throw new Error(`The environment variable "${name}" is not defined`);return value}function log(title,...args){console.log("[provider-framework]",title,...args.map(x=>typeof x=="object"?JSON.stringify(x,void 0,2):x))}function withRetries(options,fn){return async(...xs)=>{let attempts=options.attempts,ms=options.sleep;for(;;)try{return await fn(...xs)}catch(e){if(attempts--<=0)throw e;await sleep(Math.floor(Math.random()*ms)),ms*=2}}}async function sleep(ms){return new Promise(ok=>setTimeout(ok,ms))}function parseJsonPayload(payload){const text=new TextDecoder().decode(Buffer.from(payload??""));if(!text)return{};try{return JSON.parse(text)}catch{throw new Error(`return values from user-handlers must be JSON objects. got: "${text}"`)}}

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/types.d.ts

@@ -0,0 +1,117 @@
+// this is a type definition file that exports ambiant types that can be used
+// to implement async custom resource handler and enjoy the comfort of type safety.
+
+/**
+ * these types can be accessed without needing to `import` the module.
+ * e.g. `AWSCDKAsyncCustomResource.OnEventRequest`
+ */
+export as namespace AWSCDKAsyncCustomResource;
+
+/**
+ * Signature for the `onEvent` handler, which is called when a lifecycle event occurs.
+ */
+export type OnEventHandler = (event: OnEventRequest) => Promise<OnEventResponse | undefined>;
+
+/**
+ * Signature for the `isComplete` handler, which is called to detemrine if the
+ * event handling is complete. As long as this method returns `IsComplete:
+ * false`, the handler will be called (based on the rety policy defined by the
+ * provider) until a timeout occurs, an error is thrown or until it returns
+ * `true`.
+ */
+export type IsCompleteHandler = (event: IsCompleteRequest) => Promise<IsCompleteResponse>;
+
+/**
+ * The object passed to the user-defined `onEvent` handler.
+ */
+export interface OnEventRequest extends AWSLambda.CloudFormationCustomResourceEventCommon {
+  /**
+   * The request type is set by the AWS CloudFormation stack operation
+   * (create-stack, update-stack, or delete-stack) that was initiated by the
+   * template developer for the stack that contains the custom resource.
+   */
+  readonly RequestType: 'Create' | 'Update' | 'Delete';
+
+  /**
+   * Used only for Update requests. Contains the resource properties that were
+   * declared previous to the update request.
+   */
+  readonly OldResourceProperties?: { [key: string]: any };
+
+  /**
+   * A required custom resource provider-defined physical ID that is unique for
+   * that provider.
+   *
+   * Always sent with 'Update' and 'Delete' requests; never sent with 'Create'.
+   */
+  readonly PhysicalResourceId?: string;
+}
+
+/**
+ * The object returned from the user-defined `onEvent` handler.
+ */
+interface OnEventResponse {
+  /**
+   * A required custom resource provider-defined physical ID that is unique for
+   * that provider.
+   *
+   * In order to reduce the chance for mistakes, all event types MUST return
+   * with `PhysicalResourceId`.
+   *
+   * - For `Create`, this will be the user-defined or generated physical
+   *   resource ID.
+   * - For `Update`, if the returned PhysicalResourceId is different value from
+   *   the current one, it means that the old physical resource needs to be
+   *   deleted, and CloudFormation will immediately send a `Delete` event with
+   *   the old physical ID.
+   * - For `Delete`, this must be the same value received in the event.
+   *
+   * @default - for "Create" requests, defaults to the event's RequestId, for
+   * "Update" and "Delete", defaults to the current `PhysicalResourceId`.
+   */
+  readonly PhysicalResourceId?: string;
+
+  /**
+   * Resource attributes to return.
+   */
+  readonly Data?: { [name: string]: any };
+
+  /**
+   * Custom fields returned from OnEvent will be passed to IsComplete.
+   */
+  readonly [key: string]: any;
+
+  /**
+   * Whether to mask the output of the custom resource when retrieved
+   * by using the `Fn::GetAtt` function. If set to `true`, all returned
+   * values are masked with asterisks (*****).
+   *
+   * @default false
+   */
+  readonly NoEcho?: boolean;
+}
+
+/**
+ * The input to the `isComplete` user defined handler.
+ */
+export type IsCompleteRequest = OnEventRequest & OnEventResponse;
+
+/**
+ * The output of the `isComplete` user-defined handler.
+ */
+export interface IsCompleteResponse {
+  /**
+   * Indicates if the resource operation is complete or should we retry.
+   */
+  readonly IsComplete: boolean;
+
+  /**
+   * If present, overrides the PhysicalResourceId of OnEventResponse with the PhysicalResourceId of IsCompleteResponse.
+   */
+  readonly PhysicalResourceId?: string;
+
+  /**
+   * Additional/changes to resource attributes. This hash will be merged with the one returned from `OnEventResponse`.
+   */
+  readonly Data?: { [name: string]: any };
+}

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/util.d.ts

@@ -0,0 +1,10 @@
+import type { IConstruct } from 'constructs';
+import { Duration } from '../../../core';
+export declare function calculateRetryPolicy(scope: IConstruct, props?: {
+    totalTimeout?: Duration;
+    queryInterval?: Duration;
+}): {
+    maxAttempts: number;
+    interval: Duration;
+    backoffRate: number;
+};

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/util.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.calculateRetryPolicy=calculateRetryPolicy;var core_1=()=>{var tmp=require("../../../core");return core_1=()=>tmp,tmp},literal_string_1=()=>{var tmp=require("../../../core/lib/private/literal-string");return literal_string_1=()=>tmp,tmp};const DEFAULT_TIMEOUT=core_1().Duration.minutes(30),DEFAULT_INTERVAL=core_1().Duration.seconds(5);function calculateRetryPolicy(scope,props={}){const totalTimeout=props.totalTimeout||DEFAULT_TIMEOUT,interval=props.queryInterval||DEFAULT_INTERVAL,maxAttempts=totalTimeout.toSeconds()/interval.toSeconds();if(Math.round(maxAttempts)!==maxAttempts)throw new(core_1()).ValidationError((0,literal_string_1().lit)`CannotDetermineRetryCountSince`,`Cannot determine retry count since totalTimeout=${totalTimeout.toSeconds()}s is not integrally dividable by queryInterval=${interval.toSeconds()}s`,scope);return{maxAttempts,interval,backoffRate:1}}

cdk/node_modules/aws-cdk-lib/custom-resources/lib/provider-framework/waiter-state-machine.d.ts

@@ -0,0 +1,94 @@
+import { Construct } from 'constructs';
+import type { IGrantable } from '../../../aws-iam';
+import { Grant } from '../../../aws-iam';
+import type { IFunction } from '../../../aws-lambda';
+import type { ILogGroupRef } from '../../../aws-logs';
+import { LogLevel } from '../../../aws-stepfunctions';
+import type { Duration } from '../../../core';
+/**
+ * Log Options for the state machine.
+ */
+export interface LogOptions {
+    /**
+     * The log group where the execution history events will be logged.
+     *
+     * @default - a new log group will be created
+     */
+    readonly destination?: ILogGroupRef;
+    /**
+     * Determines whether execution data is included in your log.
+     *
+     * @default - false
+     */
+    readonly includeExecutionData?: boolean;
+    /**
+     * Defines which category of execution history events are logged.
+     *
+     * @default - ERROR
+     */
+    readonly level?: LogLevel;
+}
+/**
+ * Initialization properties for the `WaiterStateMachine` construct.
+ */
+export interface WaiterStateMachineProps {
+    /**
+     * The main handler that notifies if the waiter to decide 'complete' or 'incomplete'.
+     */
+    readonly isCompleteHandler: IFunction;
+    /**
+     * The handler to call if the waiter times out and is incomplete.
+     */
+    readonly timeoutHandler: IFunction;
+    /**
+     * The interval to wait between attempts.
+     */
+    readonly interval: Duration;
+    /**
+     * Number of attempts.
+     */
+    readonly maxAttempts: number;
+    /**
+     * Backoff between attempts.
+     */
+    readonly backoffRate: number;
+    /**
+     * Defines what execution history events are logged and where they are logged.
+     *
+     * @default - A default log group will be created if logging is enabled.
+     */
+    readonly logOptions?: LogOptions;
+    /**
+     * Whether logging for the state machine is disabled.
+     *
+     * @default - false
+     */
+    readonly disableLogging?: boolean;
+}
+/**
+ * A very simple StateMachine construct highly customized to the provider framework.
+ * We previously used `CfnResource` instead of `CfnStateMachine` to avoid depending
+ * on `aws-stepfunctions` module, but now it is okay.
+ *
+ * The state machine continuously calls the isCompleteHandler, until it succeeds or times out.
+ * The handler is called `maxAttempts` times with an `interval` duration and a `backoffRate` rate.
+ */
+export declare class WaiterStateMachine extends Construct {
+    /**
+     * Uniquely identifies this class.
+     */
+    static readonly PROPERTY_INJECTION_ID: string;
+    /**
+     * The ARN of the state machine.
+     */
+    readonly stateMachineArn: string;
+    private readonly isCompleteHandler;
+    constructor(scope: Construct, id: string, props: WaiterStateMachineProps);
+    /**
+     * Grant the given identity permissions on StartExecution of the state machine.
+     *
+     * [disable-awslint:no-grants]
+     */
+    grantStartExecution(identity: IGrantable): Grant;
+    private renderLoggingConfiguration;
+}